👨‍💻
Home
CTFsPlaygroundOSCPBuy Me a Flag 🚩
  • Zeyu's Infosec Blog
  • CTF Writeups
  • Playground
  • OSCP
  • 2023
    • DEF CON 31 CTF && Midnight Sun CTF Finals 2023
    • From XS-Leaks to SS-Leaks Using object
    • Regular Expressions Are Hard
    • ReadiumJS Cloud Reader — Everybody Gets an XSS!
  • 2022
    • HTTP Request Smuggling in the Multiverse of Parsing Flaws
    • Hosting a CTF — SEETF 2022 Organizational and Infrastructure Review
Powered by GitBook
On this page
  • ~# whoami
  • ~# ls -la 2023
  • DEF CON 31 CTF && Midnight Sun CTF Finals 2023
  • From XS-Leaks to SS-Leaks Using object
  • Regular Expressions Are Hard
  • ReadiumJS Cloud Reader — Everybody Gets an XSS!
  • ~# ls -la 2022
  • HTTP Request Smuggling in the Multiverse of Parsing Flaws
  • Hosting a CTF — SEETF 2022 Organizational and Infrastructure Review

Was this helpful?

Zeyu's Infosec Blog

👋 This is where I write about information security!

NextDEF CON 31 CTF && Midnight Sun CTF Finals 2023

Last updated 1 year ago

Was this helpful?

~# whoami

I love to build and break things. Cybersecurity is one of the many fields I'm passionate about.

You can learn more about me from my .

~# ls -la 2023

My first hacker summer camp experience 🏖️

Turning cross-site leaks (XS-Leaks) into "same-site leaks" using the object element to get around SameSite cookies. Nested objects, lazy loading and responsive images help us to conditionally perform callbacks based on HTTP response status codes.

From insufficient security fixes to ReDoS, regular expressions are hard to get right. Yet, they are integral to modern software security and development. Hopefully this article helps you avoid common pitfalls before it's too late!

While participating in a bug bounty programme, I stumbled upon a (surprisingly, somewhat known) XSS vulnerability in the Readium cloud reader that affects many university websites and online libraries.

~# ls -la 2022

HTTP request smuggling is a vulnerability which arises when web servers and proxies interpret the length of a single HTTP request differently. While basic techniques have been known since 2005, renewed research interest in HTTP request smuggling in recent years have uncovered many new bugs in popular web proxies and servers.

Nowadays, novel HTTP request smuggling techniques rely on subtle deviations from the HTTP standard. Here, I discuss some of my recent findings and novel techniques.

My experience in hosting SEETF 2022, and lessons learnt.

SEETF is a cybersecurity Capture the Flag competition hosted by the Social Engineering Experts CTF team. We were pleased to host our inaugural competition in 2022, which saw over 2,000 participants and 1,200 teams. Of these teams, 740 solved at least one challenge.

personal website
DEF CON 31 CTF && Midnight Sun CTF Finals 2023
From XS-Leaks to SS-Leaks Using object
Regular Expressions Are Hard
ReadiumJS Cloud Reader — Everybody Gets an XSS!
HTTP Request Smuggling in the Multiverse of Parsing Flaws
Hosting a CTF — SEETF 2022 Organizational and Infrastructure Review