Hacking a note-taking app from BITSCTF 2025. The exploit leverages a UTF-8 to ASCII conversion issue to inject XSS that remains unnoticed by DOMPurify and uses angular.js from Cloudflare CDN to bypass CSP restrictions.

These tasks originate from the WEB category at CTF Nullcon Goa HackIM 2025

The challenge involved crafting an XSS payload to extract a flag from an HTML tag, leveraging a vulnerability in the processing of uploaded .xlsx files and exploiting xmlattr vulnerability in Jinja2.