logo

DOJO CHALLENGE #10 Winners!

ID: 98609a0b-6251-5087-b5b3-bce9f97ee8b5

STIX ID: report--98609a0b-6251-5087-b5b3-bce9f97ee8b5

Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed

Threat Score
30/100

Date Published: 2021-05-25

Date Updated: 2026-07-04

...
...

This write-up documents a proof-of-concept exploit against a JavaScript "palindrome" challenge where input s is mirrored (s + reverse(s)) and evaluated with eval. By supplying the payload `KEY|`, the mirrored expression `KEY||YEK` exploits short-circuit evaluation to return the secret KEY and disclose the flag; the report includes code, PoC, and mitigation suggestions such as removing eval or tightening input filtering.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.