logo

DOJO Challenge #27 Winners!

ID: ce3bf448-1123-5925-b72c-dc9abb467a18

STIX ID: report--ce3bf448-1123-5925-b72c-dc9abb467a18

Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed

Threat Score
50/100

Date Published: 2023-10-09

Date Updated: 2026-07-04

...
...

This write-up explains a successful XSS exploit against a web playground: the author demonstrates that calling toUpperCase() after reading length allows certain Unicode characters (notably the ligature \uFB00) to expand after uppercasing, bypassing a character validation loop and enabling injection; the report shows a PoC payload combining repeated ligatures, Unicode/HTML-encoded '<' (\u003c) and HTML entities to execute an onerror alert, and recommends checking/normalizing case before length/character checks to mitigate the issue.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.