Category
FCSC 2026
Web challenge writeups from the FCSC 2026 qualifiers — client-side XSS, Apache/PHP server-side chains, HTTP request smuggling, Angular CSPT, prototype pollution, and Node sandbox escapes.
Notes
9 total10 Fast Fishers — iframe hijack + Turkish-İ execCommand bypass
Bypass a postMessage e.source check by navigating a trusted cross-origin iframe to about:blank, then defeat an insertHTML filter with the Turkish dotted capital İ (U+0130) to land XSS and steal the bot's FLAG cookie.
Bubulle Corp 2 — CRLF-in-XML → Apache/gunicorn TE.CL request smuggling (partial / unsolved)
Sequel to Bubulle Corp. Same XML find() SSRF, but with latin-1 CRLF injection through the icon method/body fields you craft raw requests to the internal Apache proxy. A Transfer-Encoding\xa0 desync against gunicorn 21.2.0 (CVE-2024-6827) smuggles GET /flag to the backend — but reflecting the second response back through Apache was not solved.
Bubulle Corp — XML find() disagreement → SSRF to an internal proxy flag alias
The settings endpoint validates only the direct-child <icon_url> (must start with https://), but fetch_icon resolves it with lxml's recursive .find('.//icon_url'). Nest an http:// icon_url one level deeper to SSRF the internal Apache proxy, whose AliasMatch serves flag.txt for any non-root path.
Deep Blue — Angular CSPT + libmagic JSON/SVG type confusion to a bypassSecurityTrustHtml sink
Angular fetches /api/.../{id}.json and renders it via bypassSecurityTrustHtml. Use client-side path traversal in the route id to redirect that fetch to an uploaded file, and a >500-deep JSON (with SVG magic bytes up front) to fool PHP's mime_content_type into accepting it as image/svg+xml while Angular still parses it as the article JSON — landing XSS that reads the bot's flag.
FCSC Aquarium — data: import injection → SIGUSR1 inspector pivot to a non-sandboxed Node process
Inject a data:text/javascript module into a dynamic import() to get code execution under Node's --permission sandbox (fs-read only), then SIGUSR1 a sibling unrestricted node process to open its inspector, drive it over CDP/WebSocket, and run child_process for full RCE.
Secure Mood Notes (1 & 2) — .htaccess injection oracle → forged PHP cookie → LD_PRELOAD RCE
Inject Apache directives into a .htaccess via an IPv6 zone-ID, build a mod_headers expr oracle to leak the Snuffleupagus secret (part 1), then forge signed PHP cookies, chain a Composer ClassLoader gadget to file inclusion, smuggle an ELF as a note, and escape Snuffleupagus via LD_PRELOAD + mail() (part 2).
Shellfish Say — parse_url traversal + session.upload_progress to plant stored XSS
Bypass a .. filter via the parse_url \":\" branch and a
Shrimp Saver Revenge — nonce reuse + srcdoc reparse to beat a strict CSP
Same path-copy DOM gadget as Shrimp Saver, but the max_input_vars CSP break is patched. Use the gadget to write a script, steal the live nonce, fix the script's nonce attribute, then copy its outerHTML into an iframe srcdoc so the reparse runs it under a valid nonce.
Shrimp Saver — path-copy DOM gadget + max_input_vars CSP break
A query-string "copy a.b.c into x.y.z" gadget gives arbitrary property writes across the DOM; overwrite blacklist.includes with eval, then knock out the CSP header by exceeding PHP's max_input_vars so the eval fires and exfiltrates the bot's flag.