☕

xanhacks' infosec blog

xanhacks infosec blog, enjoy reading 📖 !

Home
About
Search
1. Dark Mode

Web

File Read using .htaccess, IPv6 bypass filter, Unserialize pop chains - FCSC 2026 Wirteups

Writeup of Secure Mood Notes challenges from FCSC 2026, featuring a Symfony and Flask applications.

Web

NextJS research, Actions discovery, SSRF, VHOST spoofing & Freemarker SSTI with filter bypass - FCSC 2025 Wirteups

Writeup of two Web challenges from FCSC 2025, featuring a NextJS application and a Spring Boot application.

Web

Race Condition, OAuth without state and redirection into XSS & RCE via HTML2PDF - PhantomFeed HTB University 2023

Exploiting a Race Condition, OAuth without state and redirection into XSS & RCE via HTML2PDF to solve the last web challenge PhantomFeed from HTB University 2023

Web

XSS, Race Condition, XS-Leaks and CSP & iframe's sandbox bypass - LakeCTF 2023 GeoGuessy

Exploiting XSS, XS-Leaks or Race condition to steal bot's GPS coordinates.

Web

Nginx configuration bypass & Forging HTTP request - FCSC2023 Follow The Rabbit

Forging custom a HTTP request to bypass a restrictive Nginx configuration. Writeup of the challenge Follow The Rabbit of FCSC2023.