When loading the provided site, we're met with a pretty much blank (more on
that later) page running the following script:

The first part of the challenge is to obtain control of the attributes of the
inserted element, made difficult because the script appears to be checking for
an attrs cookie that we have no ability to set, since we only get to set the
tag cookie.

The setCookie function looks sane, and in fact the document.cookie API can
only set one cookie at a time, so there is no way to set the attrs cookie in
addition to the tag cookie here.

The getCookie function, however, has a problem. In the case of the attrs
cookie, it will search for the string attrs= in the cookie and return
everything up to the next semicolon. However, this check doesn't require that
attrs be its own cookie -- the string attrs= could simply appear in another
cookie, and that would be picked up! Further, since setElement truncates the
tag to the first character, we can insert the attrs bit in the tag cookie
without ruining our HTML!

**Full Writeup:** [https://github.com/pwning/public-
writeup/tree/master/rwctf2019/mission_invisible](https://github.com/pwning/public-
writeup/tree/master/rwctf2019/mission_invisible)

Original writeup (https://github.com/pwning/public-
writeup/blob/master/rwctf2019/mission_invisible).