XSS Playground
CTF challenge XSS Playground by zseano. Level:Moderate, Name:XSS Playground by zseano Flags:1
This challenge opens a webpage http://35.227.24.107/XXXXXXXXXX/index.php containing details such as person photo, name, place, comments, give feedback...etc. There is option to add comment, feedback. After providing feedback, a message will be displayed and URL used is http://35.227.24.107/XXXXXXXXXX/index.php?msg=Thanks,%20your%20feedback%20has%20been%20received.%20We%20appreciate%20you%20sharing%20your%20feedback. What ever message we send in msg will be displayed on the webpage.
In webpage, there is no permission to see email, it says Error 403: You are not allowed to view emails. This must be the entry point. When checked the sources in inspection, there are files custom.js, feedback.js. In custom.js there are apis defined such as action.php, feedback.php, getemail.
Tried checking each api using the usrl http://35.227.24.107/XXXXXXXXXX/api/feedback.php, http://35.227.24.107/XXXXXXXXXX/api/getemail but these are not giving any response.
On further checking the custom.js file there is a header being set t.setRequestHeader("X-SAFEPROTECTION","enNlYW5vb2Zjb3Vyc2U="). Tried using this header for getemail api. Curl command will be curl -v -H "X-SAFEPROTECTION":"enNlYW5vb2Zjb3Vyc2U=" http://35.227.24.107/XXXXXXXXXX/api/action.php?act=getemail. This gave the email with the flag.

Comments
When send request using http 2, it will automatically change it to "X-Safeprotection", so, you need to force it using http 1.1