Picture this: you’ve just had the perfect wedding. The vows were spoken, the cake was eaten, the dance floor was packed, and an endless stream of photos captured it all. You’re floating on cloud nine, relishing in the happily ever after, when suddenly you discover your precious wedding photos, including…

Mutation XSS in DOMPurify and marked — Last weekend, I played the ångstromCTF 2022 with my team FAUST. During the CTF, I came across a relatively simple constructed but clever web challenge that I want to share with you. This is the writeup for cliche. If you are only here to see the solution, feel free to…

XSS via WebAssembly — The Challenge While scrolling through my Twitter feed, I saw a new post from Intigriti — a fresh XSS Challenge. Since I had some free time, I decided to give it a try. In the following writeup, I go through my thinking process and explain my approach. At the time of…

XSS with CSRF Bypass — It was March and Intigriti published a new XSS challenge. Since good XSS challenges are always a way to learn new interesting methods, I gave it a try. XSS The challenge website (https://challenge-0321.intigriti.io/) contains the general rules and an input field to enter notes.

A conversation with a pirate — This weekend, I had the pleasure to play the DaVinci CTF and score first place with my team FAUST. It was great fun and a good quality CTF with some nice and creative challenges. One of the challenges was Forencis Post Office together with a follow-up OSINT challenge All Aboard…

This weekend, I had the pleasure to play the DaVinci CTF and score first place with my team FAUST. It was great fun and a good quality CTF with some nice and creative challenges. Since we solved all challenges and web challenges are my favorite category, I decided to create…

RealWorld CTF 2021 — This year I played the Real World CTF with team Sauercloud and we scored second place. I was involved in solving DBaaSadge, a web challenge, and am happy to share my writeup as a good source of knowledge for other people. If you want to follow the writeup side-by-side with…

The Wacky TeXt Generator — A few days ago, BugPoC announced another one of their great CTF challenges on Twitter. Since I have always learned a lot when solving their challenges, it was without questions that I played this one as well. Challenge The challenge rules were simple: You must alert(origin) showing https://wacky.buggywebsite.com You must bypass…

Hack.lu Writeup — The challenge FluxCloud Frontline (web, hard) was part of the amazing Hack.lu CTF. It took a friend and me, both playing for the team FAUST, two evenings to crack the great challenge. In the following, I describe the plain solution and leave out the many rabbit holes we stepped into. The Challenge …