Category
Midnight Flag Finals 2026
Web challenge writeups from the Midnight Flag 2026 finals — a server-side DOMPurify/JSDOM mXSS (inkpress) and a Flask FileSystemCache pickle RCE raced through /proc/self/fd (yanta).
0 categories
2 notes
Notes
2 totalinkpress — mXSS via server-side DOMPurify + JSDOM reparse
A publishing app sanitizes a hand-built DOM tree with DOMPurify over JSDOM and ships the serialized string to a browser that re-parses it. A <style> rawtext breakout, hidden from DOMPurify by an element child, turns a "safe" tree into live XSS that steals the editor bot's secret.
web
javascript
xss
mxss
dompurify
jsdom
+6
yanta — FileSystemCache pickle RCE raced through /proc/self/fd
A Flask note app stores cache entries as md5-named pickle files and writes them via an open directory FD. By racing that still-open FD through /proc/self/fd, you bypass the path blocklist, plant a malicious pickle, and get RCE on the next cache read.
web
python
flask
flask-caching
cachelib
filesystemcache
+9