Overcomplicating a hard client-side web challenge involving complex CSP script gadgets. Exploit Math.random() predictability, and learn how to use the Connection Pool to make Race Conditions easier.| jorianwoltjer.com
A challenge to achieve RCE through SSRF by @0xblackbird, involving an interesting NextJS middleware pitfall. We build a clean proxy for it and find some extra vulnerabilities along the way.| jorianwoltjer.com
My author's writeup of the July 2025 challenge. Perform Mutation XSS to DOM Clobber an change the insertion point into an iframe, then bypass the CSP using a new useful Socket.IO gadget| jorianwoltjer.com
