I didn’t check all the challenges this time because when I joined the competition, most of the challenges already solved by my teammates lol
I love JavaScript(yep, including those weird features) and XS-leak, so this writeup will talk about only two challenges:
Among the many web vulnerabilities, my favorite is prototype pollution. It can be powerful sometimes when you find a script gadget.
So, I decided to make an XSS challenge about prototype pollution.
In April, the challenge I made was released on Intigriti, if you haven’t checked that one, here is the link: https://challenge-0422.intigriti.io/
Making a good challenge is hard.
I made a few mistakes. With the bugs I made, the challenge became much easier. To make up for it, I decided to make another one, called “The Revenge of Intigriti 0422 Challenge”.
Below is the intended solution to the revenge challenge.
Challenge URL: https://aszx87410.github.io/xss-challenge/revenge-of-intigriti-0422
Challenge URL: https://challenge-0422.intigriti.io/
A while ago, I happened to play a lot of topics related to content type, so I decided to wrote an article about it.
Recently, I encountered many problems related to content type, so I decided to write an article to record them.
It’s a blog post about a few magical features that I have encountered recently. It is not interesting to say it directly. Let’s start with a few small challenges:
Here are a few magical features that I recently encountered. Let’s start with a few challenges:
Last month, I created an XSS challenge and hosted it on my GitHub: https://aszx87410.github.io/xss-challenge/notes/
This is the writeup about the challenge and solutions, including intended and unintended.
I will start from the intended one.
There were two difficult Web questions this time. I solved one, and the other one was unsolvable, but the solution is worth a look. Here’s a brief summary.
If you want to generate a new window on a webpage, there are probably only two options: one is to embed resources on the same page using tags such as iframe, embed, and object, and the other is to use window.open to open a new window.
As a front-end developer, I believe that everyone is familiar with these. You may have used iframe to embed third-party web pages or widgets, or used window.open to open a new window and communicate with the original window through window.opener.
However, from a security perspective, there are many interesting things about iframes, which often appear in the real world or in CTF competitions. Therefore, I want to record some of the features I learned recently through this article.
