Mutation XSS in DOMPurify and marked — Last weekend, I played the ångstromCTF 2022 with my team FAUST. During the CTF, I came across a relatively simple constructed but clever web challenge that I want to share with you. This is the writeup for cliche. …

XSS via WebAssembly — The Challenge While scrolling through my Twitter feed, I saw a new post from Intigriti — a fresh XSS Challenge. Since I had some free time, I decided to give it a try. In the following writeup, I go through my thinking process and explain my approach. At the time of…

XSS with CSRF Bypass — It was March and Intigriti published a new XSS challenge. Since good XSS challenges are always a way to learn new interesting methods, I gave it a try. XSS The challenge website (https://challenge-0321.intigriti.io/) contains the general rules and an input field to enter notes.

A conversation with a pirate — This weekend, I had the pleasure to play the DaVinci CTF and score first place with my team FAUST. It was great fun and a good quality CTF with some nice and creative challenges. One of the challenges was Forencis Post Office together with a follow-up OSINT challenge All Aboard…

This weekend, I had the pleasure to play the DaVinci CTF and score first place with my team FAUST. It was great fun and a good quality CTF with some nice and creative challenges. Since we solved all challenges and web challenges are my favorite category, I decided to create…

RealWorld CTF 2021 — This year I played the Real World CTF with team Sauercloud and we scored second place. I was involved in solving DBaaSadge, a web challenge, and am happy to share my writeup as a good source of knowledge for other people. If you want to follow the writeup side-by-side with…

The Wacky TeXt Generator — A few days ago, BugPoC announced another one of their great CTF challenges on Twitter. Since I have always learned a lot when solving their challenges, it was without questions that I played this one as well. Challenge The challenge rules were simple: You must alert(origin) showing https://wacky.buggywebsite.com You must bypass…

Hack.lu Writeup — The challenge FluxCloud Frontline (web, hard) was part of the amazing Hack.lu CTF. It took a friend and me, both playing for the team FAUST, two evenings to crack the great challenge. In the following, I describe the plain solution and leave out the many rabbit holes we stepped into. The Challenge …

The magic of GitHub search, API keys, and automation — A few days ago, I discovered that Medium provides an API that everyone can request authentication keys for. While waiting for my key request to be approved, I searched on GitHub whether I could find accidentally uploaded keys. To my surprise, I found hundreds of files available in public repositories…