DOJO Challenge #27 Winners!
ID: ce3bf448-1123-5925-b72c-dc9abb467a18
STIX ID: report--ce3bf448-1123-5925-b72c-dc9abb467a18
Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed
This write-up explains a successful XSS exploit against a web playground: the author demonstrates that calling toUpperCase() after reading length allows certain Unicode characters (notably the ligature \uFB00) to expand after uppercasing, bypassing a character validation loop and enabling injection; the report shows a PoC payload combining repeated ligatures, Unicode/HTML-encoded '<' (\u003c) and HTML entities to execute an onerror alert, and recommends checking/normalizing case before length/character checks to mitigate the issue.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
