tl;dr

• Using the rotate chains method to exploit ruby class pollution to leak Legacy cookie via SQLI.
• Using a 1-Gadget ruby deserialization vector to get RCE in a clever way.
• Using a bunch of other clever tactics for exploitation.

tl;dr

• Chrome extension debugging and exploitation
• Leaking flag byte by byte using css injection

tl;dr

Image gallery 1

• Get xss by uploading index.html in public dir
• Use bf cache to get the flag.

Image gallery 2

• Slice files.js using nginx partial caching.
• Use Subresource Integrity to load the right script
• Use DOM clobbering and Cache probing to leak the flag uuid

tl;dr

• DOM Clobbering to Redirect to another page
• Increasing Content using SQL Injection giving the same column multiple times
• Connection-Pool XS-Leaks to measure the time for the page to load
• Leak the flag character by character using the above techniques

tl;dr

• Capturing the flag id through redos attack in /search endpoint
• XSS in /uuid/noteid/raw and HTML injection in /uuid/noteid
• CSP frame-src bypass through server side redirect

tl;dr

• Leak JWT token through Race Condition.
• Leak authorization token via an open redirect.
• Chaining XSS & CSRF in the oauth pipeline to leak the Admin’s oauth access token.
• RCE via CVE-2023-33733.

tl;dr

• Misconfiguration in JWT token validation
• SQL Injection through JWT token
• Insecure Deserialization in .NET leading to RCE using custom class StatusCheckHelper

tl;dr

• Mutation XSS using namespace confusion
• Parsing inconsistency in JSDOM

tl;dr

• XSS using hx- attribute to fetch the flag from /api/note/flag.

tl;dr

• meta redirect to attacker website, using the html injection in the paaad.
• leak the unique subdomain with csp violation.
• Another meta redirect csrf with the leaked subdomain to make the note public.