No results found.
I explore a misaligned trust chain between a CDN, a Tornado web app, and an admin bot that allows cache poisoning via a GET request body. This lets us serve an XSS payload to the admin. We then abuse environment variables injection to get RCE
I exploit Python's introspection and format string tricks to escape a jail that bans letters, digits, and every binary operator except modulo.
I abuse window.opener to navigate the admin's tab to /get_flag and exfiltrate the response, bypassing CSRF protection entirely.
I pollute Object.prototype through a custom query parser to smuggle an onload attribute past sanitize-html's attribute whitelist.
I exploit a search endpoint that redacts but still matches the flag, using a 3-character sliding window oracle to brute-force it character by character.
