Crate & Sleeve
A member-funded vinyl-collector community. Listings carry sleeve photos, catalog numbers, condition grades — and a comment thread where everyone leaves notes for the seller.
The Scenario
Crate & Sleeve has run since 2014 on volunteer hosting and member dues — no auction bots, no eBay scraping, no premium tier. About four hundred records in rotation, a handful of moderators who scan the latest comments on their lunch break, and a codebase a college friend wrote one summer and never came back to. The comment thread is where regulars haggle over pressing variants and condition grades; it's also the part of the site the moderators trust their members on the most.
Challenge Intel
Synopsis
Listing comments render straight from the database with no escaping. Post a payload, wait for the volunteer moderator to scan the latest comments, and their cookie ends up on whichever interact subdomain the URL pointed at.
What It Is
listing.php echoes each comment via <?= $comment['body'] ?> inside <div class="cmt__body">. Comment bodies are persisted to SQLite verbatim from the POST body — no allowlist, no entity-escape, no DOM sanitiser. An admin-bot scans new comments every 15 seconds and, when it sees any URL pointing at *.interact.webverselabs-pro.com inside a comment body, fetches that URL with `document.cookie` substituted for the moderator's actual session cookie. The moderator's cookie value is set to the flag at container start. Player retrieves the flag from their interact log.
Who It's For
A player ready to move beyond reflected XSS into stored XSS — the canonical PHP comment-system bug. Assumes familiarity with payloads that survive HTML parsing (img onerror, svg onload) and the understanding that script tags injected via innerHTML do not, but elements with error handlers do.
Skills You'll Practice
- Identifying an unescaped server-side echo in user-submitted content
- Writing a stored payload that fires on re-render
- Recognising the inline-script CSP-Report-Only signal
What You'll Gain
- Pattern for stored-XSS in any PHP comment / forum / review surface
- Practical feel for how persistent injection differs from reflected