The challenge has two separate webpages one which is vulnerable to xss attacks and from which we must steal a cookie, and another where we can send links to be opened: Figure 1 The first app

Figure 2 Second app The input to be opened by it is : http://vanilla.hub/?name=

https://enqmimydnbiuecc.m.pipedream.net For the purpose of this challenge request.bin

Figure 3 this is the stolen cookie Figure 4 Vulnerable code in the application

Figure 5 Docker config hostname Because the get request to the 3002 app will echo it to the page Reflected XSS is possible. The bot on 3003 will open our request with the xss and we steal the cookie and then boom we’re done.