Web

  • Published on
    In this year's UIUCTF, they provided an interesting web challenge called Pwnypass, which revealed an intriguing timing-based behavior in the browser during navigation that can be leveraged by attackers. I give it a fancy name: EAR (Execution After Redirect) attack on the client side.
  • Published on
    Recently, I start to maintain a repo related to 'web-pwn' in the github, which refer to the exploitation of memory-related vulnerabilities within essential web components like browsers, JavaScript runtimes, PHP runtimes, and others.
  • Published on
    This writeup contains an interesting mXSS challenge, named awesome-note-2, from the hack.lu this year.
  • Published on
    I also participated in the p4 ctf last weekend. I managed to solve two AI-related challenges, reminding me of the materials that I was doing during my undergraduate studies. There is also an interesting blind pwn challenge about fmt and uninitialized read vulnerability.
  • Published on
    Another writeup for the ReadWorld 2023 CTF. Here are the baby-level and normal-level challenges, but they are actually not easy at all.
  • Published on
    idek2022 has provided several challenges with good quality. The `sprintf` challenge is a 'wired' format string challenge in which I have summarized 3 different impressive approaches. Check them out!
  • Published on
    This is the writeup for the snykCTF 2022 which provided so many interesting web challenges. I take it as an opportunity to learn more about various web security topics which is why I spend time going through all the challenges again. I hope you find this writeup informative and enjoyable!
  • Published on
    This blog aims to summarize everything about the javascript-specific vulnerability - prototype pollution: necessary knowledge about javascript, what is the prototype and prototype chain, how to exploit the prototype pollution vulnerability and several CTF challenges related to the prototype pollution which might help in understanding all the stuff.