web

It’s like DeviantArt, but with a report button to keep it less Deviant.

There’s a joke to be made here about Python eating the GOpher. I’ll cook on it and get back to you.

Click acorns. Buy squirrels. Profit.

The only way to avoid SSTIs is to use protection.

The hardest challenge for a CTFer to solve is how to lose their versionity.

I’d rather die than use a password manager. In other news, can anyone help me remember the login info for my account? The flag for this challenge is the account password.

Check out my personal website! I have a blog!

just solved distributed systems

Well, my application is finally making it big – and I’ve heard that once you get over 10 users, using kubernetes is basically a must. Come check out my microservices!

Have you ever wanted to store some JSON data really quickly? Have we got the solution for you!

Bad news: pay-to-win made it to CTFs. Good news: we paid first.

Scanner? Buddy!

LDAP me up, bro.

DOM clobbering, domain takeovers, shared process slowdowns, and CSS exfiltration, oh my!

How on earth do SVGs have so many security vulnerabilities?

A quick but interesting proof-of-concept demonstrating that security by obscurity does not and will never work. Even if you don’t show reflected feedback from SQL commands, your database is still not safe.

For this web challenge, we had to utilize two different exploits to get the flag – and one of them wasn’t a web exploit!