Latest Posts

MongoDB - Extracting data (admin password) using NoSQL Injection - MMACTF 2016 Web 100 writeup
Using NoSQL injections to extract admin password from the database (MMACTF 2016 web 100 writeup)
Command Injection via Bruteforce ZipCracker - MMACTF 2016 Web 200 writeup
Command injection via the dictionary file used for bruteforce. (MMACTF 2016 web 100 writeup)
Remote Code Execution via Python __import__() - MMACTF 2016 Tsurai Web 300 writeup
Manipulating Python's __import__() statement to import attacker controlled modules (MMACTF 2016 web 100 writeup)
Prompt.ml - XSS Challenges writeup
If you haven't seen this already, this is a series of XSS challenges by Filedescriptor. The challenges were really good and if you haven't attempted to solve it, you should definitely try yourself before reading the writeups here.
escape.alf.nu - XSS Challenges writeup
If you haven't seen this already, this is a series of XSS challenges by Erling Ellingsen. The challenges were really good and if you haven't attempted to solve it, you should definitely try yourself before reading the writeups here.