arxenix's blog

SekaiCTF'24 htmlsandbox - Author Writeup

HTML parsing differentials are fun!

Cookie Bugs - Smuggling & Injection

Cookie Bugs - Smuggling & Injection

Research on how browsers encode & send cookies, how they are parsed by various web frameworks, and some bugs

SECCON CTF 2022 Finals

SECCON CTF 2022 Finals

Winning SECCON Finals, writeups, and some Tokyo pictures.

DiceCTF 2023 writeups

DiceCTF 2023 writeups

writeups for the challenges I wrote for dicectf 2023

Overlong Sec-Required-CSP header: CVE-2021-37989

Overlong Sec-Required-CSP header: CVE-2021-37989

abusing long http headers for cache probing

The Closed Shadow DOM

The Closed Shadow DOM

a bit of research on security of the shadow DOM

Hosting a CTF - UIUCTF'21 Overview + Infra

Hosting a CTF - UIUCTF'21 Overview + Infra

Thoughts on running UIUCTF21, competition decisions, and infrastructure writeup

Detecting uBlock origin via a timing side-channel

chrome extensions are bad, use firefox

PlaidCTF 2021 - wowza - web (350pt)

race condition + prototype pollution + SSRF via fetch() redirect

DragonCTF 2020 - Scratchpad (web)

Error-Based XS Leak

Showcasing the Importance of Secure Defaults with a PyYAML 0day

Bypassing PyYAML filtering and getting a CVE (2020-14343)

CSAW CTF Finals 2019 - easiest crackme - Web (100,300,300 pt)

Exploiting a chrome extension that allows you to debug binaries via RPC

PlaidCTF 2019 - can you guess me - misc (100pt)

Bypassing heavily filtered python code evaluation

Pwning PHP CTF Challenges

Short list and collection of links to learn about vulns used in PHP CTF Challenges