tl;dr
- Bypassing CSPT filters and UUID validations implemented using Regex .
- Chaining CSPT and Open-Redirect to achieve XSS .
- Finally XSS and retrive the admin cookie .
Intigriti 0724 XSS Challenge
tl;dr
- Dom clobbering to clobber isDevelopmet
- Throwing an error using RPO to prevent Dompurify from loading
- Using base tag’s to import our evil.js
Flag Remover - KitCTF 2024
tl;dr
- Dom clobbering to clobber document.body
- Bypassing Dompurify dom clobbering protection
- Dom clobbering using form tags
Mocha CTF 2024 Web Writeups
tl;dr
- Basic Javascript pseudo protocol waf bypass .
- Dom clobbering in a LateX library .
- Csp bypass using JSONP endpoint in googleapis.com using callback.
WaterMark as a Service AngstromCTF
tl;dr
- XS-search 200 / 404 .
- Leaking using HTML injection in a same-site challenge.
- Link tags and Error events .
päääd - Hack.lu CTF 2023
tl;dr
- meta redirect to attacker website, using the html injection in the paaad.
- leak the unique subdomain with csp violation.
- Another meta redirect csrf with the leaked subdomain to make the note public.