Category
Web
Web application attack techniques — injection, authentication bypass, and more.
Categories
15 totalPython
Server-side Python web bugs — SSRF parser confusion, pickle and cache abuse, Jinja2 SSTI, XML and pycurl sinks, import-time code hooks, and request smuggling.
PHP / Apache
PHP and Apache attack surface — .htaccess injection, object injection and POP chains, session-file primitives, native-code pivots, and libmagic / mt_rand confusion.
JavaScript / Browser
Client- and server-side JS bugs — mXSS, prototype pollution and path-copy gadgets, CSP bypass chains, DOM clobbering, Angular sinks, and Node module / inspector pivots.
HTTP
Protocol-level and SQL injection techniques — HTTP/3 services, operator-precedence SQLi, boolean-blind extraction, UNION-based session forging, and replay-driven SSRF.
Proxy / Infrastructure
Multi-hop and edge attacks — Traefik host-header routing, request-parsing desync, and topology enumeration through docs, headers, and operational endpoints.
Logic Bugs
Application logic flaws — undocumented modes and hidden API behavior, and weak binding of proof tokens such as captchas and coupons.
Mental Checklists
Per-stack triage checklists — what to think about first when the stack is Python, PHP, JS / browser, or a multi-hop proxy chain.
Midnight Flag Finals 2026
Web challenge writeups from the Midnight Flag 2026 finals — a server-side DOMPurify/JSDOM mXSS (inkpress) and a Flask FileSystemCache pickle RCE raced through /proc/self/fd (yanta).
FCSC 2026
Web challenge writeups from the FCSC 2026 qualifiers — client-side XSS, Apache/PHP server-side chains, HTTP request smuggling, Angular CSPT, prototype pollution, and Node sandbox escapes.
BreizhCTF 2026
Web challenge writeups from BreizhCTF 2026 — client+server chains mixing JSON type-confusion path traversal, SVG/CSP XSS, and Python import-shadowing RCE via gunicorn worker recycling.
m0leCon CTF 2025
Web challenge writeups from m0leCon CTF 2025 - ImageMagick argument injection, arbitrary write with -write, MIFF metadata survival past exiftool, and PHP webshell RCE.
Plfanzen 2026
Web challenge writeups from Plfanzen 2026 — JavaScript-flavoured server-side logic bugs: node-sqlite3 array-binding parameter pollution, missing-await bcrypt, case-insensitive LIKE, and a LiquidJS sort_natural prototype-leak side-channel.
N1CTF 2025
Web challenge writeups from N1CTF 2025 — a Node/Express chain: sha.js hash-rewind JWT forgery (CVE-2025-9288), path.extname filter bypass, path traversal, and EJS SSTI to RCE.
OpenECSC 2025
Web challenge writeups from OpenECSC 2025 - Python object/reference confusion, shared class attributes, hidden-field mass assignment, and admin config leakage.
HackTheBox Challenges
Web challenge writeups from HackTheBox — a broad mix of server- and client-side bugs: nginx cache poisoning, Next.js SSRF + Jinja2 SSTI, Go zip-slip session forgery, PHP POP chains and php-cgi argument injection, H2 SQL→RCE, Mongoose prototype pollution, Tornado object-walk gadget, and a TensorFlow Lambda-layer RCE.