Bypassing Content Security Policy (CSP) using jsDelivr CDN to execute a blind XSS payload and steal the admin’s JWT cookie, revealing the flag.

Analyzing a malicious Word document to extract and decode obfuscated VBA macros that execute PowerShell commands, revealing the embedded flag.

Exploiting prototype pollution in a vulnerable jQuery plugin to manipulate the HTML sanitizer's whitelist and achieve XSS. By injecting custom attributes into the global object, the attack bypasses client-side filtering and executes a malicious payload.

Chaining XSS, Zip Slip, and SSTI vulnerabilities to achieve remote code execution (RCE) on a Flask web server. By exploiting insecure file extraction, we overwrite a template file with an SSTI payload, allowing command execution to retrieve the flag.

Bypassing DOMPurify's sanitization using namespace confusion in MathML to achieve XSS on the challenge web application. This involved analyzing obfuscated JavaScript, reversing URL parameter handling, and leveraging a known DOMPurify bypass to successfully trigger the exploit.