logo

DOJO CHALLENGE #20 Winners!

ID: eb3616c8-610c-578b-98ec-61cfaced0408

STIX ID: report--eb3616c8-610c-578b-98ec-61cfaced0408

Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed

Threat Score
30/100

Date Published: 2023-06-06

Date Updated: 2026-07-04

...
...

This write-up documents a DOM-based XSS (CWE-79) in the 'Butters Adventure' challenge where user-controlled $cmd output is written with innerHTML. The author demonstrates bypassing blacklisted characters by encoding payloads with octal escape sequences, provides a proof-of-concept that changes an in-page object property (making the player 'offline'), and recommends input validation, improved filtering, and Content Security Policy as mitigations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.