- Published on
Hacking a note-taking app from BITSCTF 2025. The exploit leverages a UTF-8 to ASCII conversion issue to inject XSS that remains unnoticed by DOMPurify and uses angular.js from Cloudflare CDN to bypass CSP restrictions.
Web
All Posts (41)
- pwn (10)
- rev (8)
- bitsctf (6)
- bitsctf-2025 (6)
- web (5)
- crypto (5)
- osint (4)
- flagyard (4)
- pwntools (4)
- malware (4)
- forensic (3)
- nullcon (3)
- nullcon-2025 (3)
- pwnme-2025 (2)
- pwnme (2)
- xss (2)
- pingctf (2)
- misc (2)
- lactf (2)
- lactf-2025 (2)
- srop (2)
- stego (2)
- hardware (2)
- sqlinjection (2)
- pearl (2)
- utctf-2025 (2)
- utctf (2)
- dompurify (1)
- csp (1)
- unicode-overflow (1)
- games (1)
- 0xl4ugh (1)
- broncoctf (1)
- broncoctf-2025 (1)
- backdoorctf24 (1)
- torrent (1)
- pcap (1)
- elfisyou (1)
- baba-is-you (1)
- bluehensctf (1)
- glacierctf (1)
- cve-2024-34064 (1)
- hackthevotectf (1)
- arduino (1)
- lucky (1)
- rop (1)
- rsa (1)
- ret2libc (1)
- bcrypt (1)
- ssti (1)
- dns (1)
- dig (1)
- int-overflow (1)
- spookyctf (1)
- binary (1)
- ctflearncom (1)
- ping (1)
- ehax (1)
- ehax-2025 (1)
- sandbox (1)
- shellcode (1)
- payload (1)
- mobile (1)
- chess (1)
- Published on
These tasks originate from the WEB category at CTF Nullcon Goa HackIM 2025- Published on
The challenge involved crafting an XSS payload to extract a flag from an HTML tag, leveraging a vulnerability in the processing of uploaded .xlsx files and exploiting xmlattr vulnerability in Jinja2.- Published on
My solution for BluehensCTF web/Firefun 3 challenge- Published on
My solution for HackTheVote2024 web/graph1 challenge
