No results found.
Most XSS bugs are obvious: unescaped input, wrong function, move on. This one wasn't. I dove into a conditional branch that only fires when an author has no URL, outputting data that absolutely shouldn't. This is a full technical walkthrough: from recon to PoC that takes a Contributor account to Admin XSS.
I dive into a multi-layered OSINT (Open-Source Intelligence) investigation that proves the "old days" of manual, high-dopamine digital sleuthing are far from over in this AI dominated time.
Unlike my usual deep dives, this blog post will contain my thoughts while solving bits CTF 2026 web challenge rusty-proxy which was victim to agentic AI, but insightful nonetheless.
This challenge demonstrated that security vulnerabilities often exist not in the code itself, but in the glue connecting different components. While the PHP application and the `expect` script appeared logically sound in isolation, the vulnerability emerged from the behavior of the Linux TTY subsystem.
I explore a misaligned trust chain between a CDN, a Tornado web app, and an admin bot that allows cache poisoning via a GET request body. This lets us serve an XSS payload to the admin. We then abuse environment variables injection to get RCE
