All Posts

Writeup for the web challenges in the Pwnme 2025 CTF. There is a very interesting account take over challenge in a black-box setting.

A writeup for the Patriot CTF 2024 babyxss challenge.

In this year's UIUCTF, they provided an interesting web challenge called Pwnypass, which revealed an intriguing timing-based behavior in the browser during navigation that can be leveraged by attackers. I give it a fancy name: EAR (Execution After Redirect) attack on the client side.

In this blog, I discussed about Jazzer, focusing on its fuzzing loop, feedback mechanism, mutation strategy, and sanitizers.

In this weekend, I solved a interesting memory corruption vulnerability in WebAssembly binary.