DOJO CHALLENGE #20 Winners!
ID: eb3616c8-610c-578b-98ec-61cfaced0408
STIX ID: report--eb3616c8-610c-578b-98ec-61cfaced0408
Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed
This write-up documents a DOM-based XSS (CWE-79) in the 'Butters Adventure' challenge where user-controlled $cmd output is written with innerHTML. The author demonstrates bypassing blacklisted characters by encoding payloads with octal escape sequences, provides a proof-of-concept that changes an in-page object property (making the player 'offline'), and recommends input validation, improved filtering, and Content Security Policy as mitigations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
