ctfwebxss

Ramadan's Spark CTF 2025 — WhatIsXSS


WhatIsXSS

XSS challenge

Upon opening the web application, we find a simple page explaining the XSS vulnerability and how it works.

Inspecting the source code, we discover a script.js file that contains the flag. However, the script is obfuscated, so we need to perform JavaScript deobfuscation.

Within the script, we encounter multiple fake flags, but the correct flag is stored inside a function called revealFlagyabro().

By executing a standard Stored XSS payload:

<img src=x onerror=revealFlagyabro() >

we successfully capture the flag, which is base64-encoded:

Flag: Spark{Y0u_N33d_t0_l34Rn_XSS!!!!!}