XSS with CSRF Bypass

The challenge announcement on Twitter

It was March and Intigriti published a new XSS challenge. Since good XSS challenges are always a way to learn new interesting methods, I gave it a try.


The challenge website (https://challenge-0321.intigriti.io/) contains the general rules and an input field to enter notes.

A conversation with a pirate

This weekend, I had the pleasure to play the DaVinci CTF and score first place with my team FAUST. It was great fun and a good quality CTF with some nice and creative challenges.

One of the challenges was Forencis Post Office together with a follow-up OSINT challenge All Aboard. In the following, I explain our approach to this challenge and how we finally solved it.

Post Office

I received a package today. A few minutes later, I received the following SMS asking me to pay for the delivery:

Chronopost: Veuillez confirmer le reglement des frais (2,99 EUR) et votre adresse de…

This weekend, I had the pleasure to play the DaVinci CTF and score first place with my team FAUST. It was great fun and a good quality CTF with some nice and creative challenges.

Since we solved all challenges and web challenges are my favorite category, I decided to create writeups for all of them. The challenges are ordered by their points, feel free to skip the ones you solved.

Obfuscation — 10 points and 318 solves

My password is my secret. You will never find it…
To validate this chall, please enter the secret code as the flag.

When we visit the website, we can…

RealWorld CTF 2021

This year I played the Real World CTF with team Sauercloud and we scored second place. I was involved in solving DBaaSadge, a web challenge, and am happy to share my writeup as a good source of knowledge for other people.

If you want to follow the writeup side-by-side with your own setup, you can find all the challenge files here.

The challenge

In the challenge, we get a Dockerfile that sets up a Postgres 10 database with two extensions: dblink and mysql_fdw. The first one is an extension by Postgres itself and allows the user to link and connect Postgres databases…

The Wacky TeXt Generator


A few days ago, BugPoC announced another one of their great CTF challenges on Twitter. Since I have always learned a lot when solving their challenges, it was without questions that I played this one as well.


The challenge rules were simple:

  1. You must alert(origin) showing https://wacky.buggywebsite.com
  2. You must bypass CSP
  3. It must be reproducible using the latest version of Chrome
  4. You must provide a working proof-of-concept on bugpoc.com


The challenge domain was wacky.buggywebsite.com. When opening the domain, the Wacky TeXt Generator displays a small editor and a button as it is shown in the title picture.

As the following…

Hack.lu Writeup

The challenge FluxCloud Frontline (web, hard) was part of the amazing Hack.lu CTF. It took a friend and me, both playing for the team FAUST, two evenings to crack the great challenge.

In the following, I describe the plain solution and leave out the many rabbit holes we stepped into.

The Challenge

With our brand-new FluxCloud Frontline product, we offer hyper-secure, ultra-rapid edge routing. Of course we have a bug bounty program too! If you can bypass our protections, you will be rewarded with a juicy flag. https://public.frontline.cloud.flu.xxx:8443/

When we open the challenge, we are provided with the source code of the…

The magic of GitHub search, API keys, and automation

Photo by the author

A few days ago, I discovered that Medium provides an API that everyone can request authentication keys for. While waiting for my key request to be approved, I searched on GitHub whether I could find accidentally uploaded keys. To my surprise, I found hundreds of files available in public repositories containing data that looked just like Medium authentication keys. Indeed, already the second key I tried was functional. In this article, I describe what a malicious user could do with these keys and how I automated the process of finding valid keys.

Are they possible and are they a real risk?

Photo by Dmitry Ratushny on Unsplash.

The first time I came across the service worker concept was during Defcon CTF. In one challenge, we had to register a service worker to intercept the user's traffic and reroute it to our server. This concept sounded interesting and dangerous, so I researched it and eventually realized it would be a good topic for an article about using service workers as a “Man in the Middle” (MitM) and if its application is feasible in the real world.

What Are Service Workers?

Of course, your first question is likely “What even is a service worker?” The Google web developer guidelines describe them as follows:

A bug bounty report

I was writing a new article on Medium when I started procrastinating and looking at the traffic this website is producing. Knowing there is a bug bounty program on Medium that I was awarded before, I thought maybe I am lucky once again and decided to play around with the following and unfollowing calls.

The GraphQL API

Medium uses GraphQL, initially developed by Facebook, to communicate with parts of their API and inform the database about follow and unfollow requests. To do so, only the target user-id is required, user authentication is verified via auth cookies. As answer a request, the server would…

Photo by David Rangel on Unsplash

A few weeks ago I found a bug in one of PayPal’s APIs that can easily be abused to allow excess fraudulent charges where the buyers are unknowingly charged more than they agreed on (read more here). Of course, I submitted it to PayPal’s bug bounty program, however, the report was rejected as fraud, theft, or malicious merchant accounts are out of scope.

All the people I explained the impact to were also surprised that the report was rejected, so it made me think: What should companies consider designing a good bug bounty program? In this article, I share my…


Computer Science Student. Interested in IT security and forensics. https://fhantke.de/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store