A challenge to achieve RCE through SSRF by @0xblackbird, involving an interesting NextJS middleware pitfall. We build a clean proxy for it and find some extra vulnerabilities along the way.| jorianwoltjer.com
My author's writeup of the July 2025 challenge. Perform Mutation XSS to DOM Clobber an change the insertion point into an iframe, then bypass the CSP using a new useful Socket.IO gadget| jorianwoltjer.com
A "hard web xssbot" challenge about a fun browser quirk with the is= attribute to perform CSS Injection. Bypass the strict CSP with an unintended new technique to XS-Leak a selector's result by detecting the site crashing| jorianwoltjer.com