tl;dr
- Capturing the flag id through redos attack in /search endpoint
- XSS in /uuid/noteid/raw and HTML injection in /uuid/noteid
- CSP frame-src bypass through server side redirect
tl;dr
- Adding the last character to a tab causes null byte overflow
- Use said overflow to unset prev_inuse bit
- Coalesce upwards with fake chunk to perform unlink attack
- Unlink attack places .bss pointer in place of heap pointer
- Editing .bss allows for Arbitrary R/W
tl;dr
- Leak JWT token through Race Condition.
- Leak authorization token via an open redirect.
- Chaining XSS & CSRF in the oauth pipeline to leak the Admin’s oauth access token.
- RCE via CVE-2023-33733.
tl;dr
- Misconfiguration in JWT token validation
- SQL Injection through JWT token
- Insecure Deserialization in .NET leading to RCE using custom class StatusCheckHelper
tl;dr
- CTR bit-flipping attack along with CRC recomputation
tl;dr
- Mutation XSS using namespace confusion
- Parsing inconsistency in JSDOM
tl;dr
- XSS using hx- attribute to fetch the flag from /api/note/flag.
tl;dr
- meta redirect to attacker website, using the html injection in the paaad.
- leak the unique subdomain with csp violation.
- Another meta redirect csrf with the leaked subdomain to make the note public.