Latest Posts

MongoDB - Extracting data (admin password) using NoSQL Injection - MMACTF 2016 Web 100 writeup
Using NoSQL injections to extract admin password from the database (MMACTF 2016 web 100 writeup)
Command Injection via Bruteforce ZipCracker - MMACTF 2016 Web 200 writeup
Command injection via the dictionary file used for bruteforce. (MMACTF 2016 web 100 writeup)
Remote Code Execution via Python __import__() - MMACTF 2016 Tsurai Web 300 writeup
Manipulating Python's __import__() statement to import attacker controlled modules (MMACTF 2016 web 100 writeup)
Prompt.ml - XSS Challenges writeup
If you haven't seen this already, this is a series of XSS challenges by Filedescriptor. The challenges were really good and if you haven't attempted to solve it, you should definitely try yourself before reading the writeups here.
escape.alf.nu - XSS Challenges writeup
If you haven't seen this already, this is a series of XSS challenges by Erling Ellingsen. The challenges were really good and if you haven't attempted to solve it, you should definitely try yourself before reading the writeups here.
PHP object Injection via Cookie unserialize() - Nuit du hack CTF Web 100 writeup
Reading local files with PHP object Injection via Cookie unserialize() (Nuit du Hack 2016 web 10 writeup)
Markdown based Stored XSS in Zendesk !
How markdown can help in triggering XSS ?
How I got a shell on Google Acquisition ?
Getting a shell on Google Acquisition.