-
justCatTheFish - Google CTF 2022 - Postviewer writeup.
Postviewer was one of the web category tasks in Google CTF 2022. The author of the task - terjanq - prepared for us a client-side application whose purpose was to host files. This was realized by storing them in IndexedDB - a builtin browser API for storing data. From the...
-
New technique of stealing data using CSS and Scroll-to-Text Fragment feature.
Wondering if anyone could leak your crypto wallet seeds? Check out my newest research on the new technique of stealing data using CSS and Scroll-to-Text Fragment feature: https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/
-
Lovely nonces (ASIS CTF Quals 2021) the unintended way.
The quasi-crypto part by Arusekk The first thing I noticed in this task was unsafe random nonce generation. Unpredictable random values in Node.js should be generated using crypto.random*() and not Math.random(), which is designed to be fast, not safe. So while the others were working on an XSS payload that...