☕

xanhacks' infosec blog

xanhacks infosec blog, enjoy reading 📖 !

Home
About
Search
1. Dark Mode

Web

NextJS research, Actions discovery, SSRF, VHOST spoofing & Freemarker SSTI with filter bypass - FCSC 2025 Wirteups

Writeup of two Web challenges from FCSC 2025, featuring a NextJS application and a Spring Boot application.

Web

Race Condition, OAuth without state and redirection into XSS & RCE via HTML2PDF - PhantomFeed HTB University 2023

Exploiting a Race Condition, OAuth without state and redirection into XSS & RCE via HTML2PDF to solve the last web challenge PhantomFeed from HTB University 2023

Web

XSS, Race Condition, XS-Leaks and CSP & iframe's sandbox bypass - LakeCTF 2023 GeoGuessy

Exploiting XSS, XS-Leaks or Race condition to steal bot's GPS coordinates.

Web

Nginx configuration bypass & Forging HTTP request - FCSC2023 Follow The Rabbit

Forging custom a HTTP request to bypass a restrictive Nginx configuration. Writeup of the challenge Follow The Rabbit of FCSC2023.

Web

Abusing FindFirstFile to do PHP Session Hijacking - THCon23 Demo App

Abusing the FindFirstFile Windows API function to do PHP Session Hijacking via Path Traversal. Writeup of the Demo App challenge of the THCon23 CTF.