A few days ago, BugPoC announced another one of their great CTF challenges on Twitter. Since I have always learned a lot when solving their challenges, it was without questions that I played this one as well.

Challenge

The challenge rules were simple:

1. You must alert(origin) showing https://wacky.buggywebsite.com
2. You must bypass CSP
3. It must be reproducible using the latest version of Chrome
4. You must provide a working proof-of-concept on bugpoc.com

Setup

The challenge domain was wacky.buggywebsite.com. When opening the domain, the Wacky TeXt Generator displays a small editor and a button as it is shown in the title picture.

As the following…

The challenge FluxCloud Frontline (web, hard) was part of the amazing Hack.lu CTF. It took a friend and me, both playing for the team FAUST, two evenings to crack the great challenge.

In the following, I describe the plain solution and leave out the many rabbit holes we stepped into.

The Challenge

With our brand-new FluxCloud Frontline product, we offer hyper-secure, ultra-rapid edge routing. Of course we have a bug bounty program too! If you can bypass our protections, you will be rewarded with a juicy flag. https://public.frontline.cloud.flu.xxx:8443/

When we open the challenge, we are provided with the source code of the…

A few days ago, I discovered that Medium provides an API that everyone can request authentication keys for. While waiting for my key request to be approved, I searched on GitHub whether I could find accidentally uploaded keys. To my surprise, I found hundreds of files available in public repositories containing data that looked just like Medium authentication keys. Indeed, already the second key I tried was functional. In this article, I describe what a malicious user could do with these keys and how I automated the process of finding valid keys.

The first time I came across the service worker concept was during Defcon CTF. In one challenge, we had to register a service worker to intercept the user's traffic and reroute it to our server. This concept sounded interesting and dangerous, so I researched it and eventually realized it would be a good topic for an article about using service workers as a “Man in the Middle” (MitM) and if its application is feasible in the real world.

What Are Service Workers?

Of course, your first question is likely “What even is a service worker?” The Google web developer guidelines describe them as follows:

…

I was writing a new article on Medium when I started procrastinating and looking at the traffic this website is producing. Knowing there is a bug bounty program on Medium that I was awarded before, I thought maybe I am lucky once again and decided to play around with the following and unfollowing calls.

The GraphQL API

Medium uses GraphQL, initially developed by Facebook, to communicate with parts of their API and inform the database about follow and unfollow requests. To do so, only the target user-id is required, user authentication is verified via auth cookies. As answer a request, the server would…

A few weeks ago I found a bug in one of PayPal’s APIs that can easily be abused to allow excess fraudulent charges where the buyers are unknowingly charged more than they agreed on (read more here). Of course, I submitted it to PayPal’s bug bounty program, however, the report was rejected as fraud, theft, or malicious merchant accounts are out of scope.

All the people I explained the impact to were also surprised that the report was rejected, so it made me think: What should companies consider designing a good bug bounty program? In this article, I share my…

Yes… DEFCON is really cancelled this year, nevertheless I did not miss the chance to play the DEFCON CTF Quals. I participated with the team Sauercloud and spent most of the time with the pooot web challenge. Unfortunately, we were not successful in solving the challenge before the end of the Quals, but I continued and eventually figured the solution out. To document the solution for myself and hopefully help anyone who did not solve the challenge, here is my writeup.

What do we have?

The web is becoming more and more dangerous everyday. Our secure pooot proxy allows you to continue your browsing…

I like cooking, it is somewhat relaxing to take some time off and create a delicious meal. So a friend recommended to me an app called KptnCook and I have really enjoyed it. KptnCook only offers three recipes per day. The recipes are available for one day only and then they disappear. To save a good recipe I can store it in my favorites. Thus, you don’t feel overwhelmed by lots of recipes that you get in other apps.

Nevertheless, the curious person that I am, after a few weeks using the app, I thought about ways to trick the…