h4fan security
  • Tags
  • Archive
  • Story
  • Blog
A Q
h4fan security

blog about security, tech

  • RSS
  • Email
  • GitHub
  • Mastodon
  • About
count
h4fan  •  2026

  • Learning SSTI with gosecure

    Gosecure的SSTI环境学习记录

    Posted on December 25, 2020

    环境地址 gosecure 的ssti教程地址template-injection-workshop [Read More]
    Tags:
    • ssti
    • websec

  • Intigriti XSS Challenge-2020 Writeup

    Posted on December 15, 2020

    Intigriti’s December XSS Challenge https://challenge-1220.intigriti.io/ [Read More]
    Tags:
    • xss

  • An unsuccessful expressjs SSTI story

    Posted on December 14, 2020

    Recon Response Header x-powered-by: express. An expressjs website. [Read More]
    Tags:
    • ssti
    • expressjs

  • alert 1337 - jquery prototype pollution

    Posted on November 5, 2020

    challenge here https://msrkp.github.io/ [Read More]
    Tags:
    • xss
    • prototype pollution

  • alert(23) to win - eval(location.pathname)

    Posted on October 24, 2020

    while surfing the internet for some sec news, a xss challenge came across. challenge address https://renwax23.github.io/X/chal/oct22/ [Read More]
    Tags:
    • xss
  • ← Newer Posts
  • javascript Object赋值(=) | 03 Sep 2024
  • intigriti challenge 0824 writeup | 03 Sep 2024
  • 如何只下载Github Repo的部分内容 | 30 Aug 2024
  • research on service worker | 29 Aug 2024
  • the 'bad' psk | 28 Aug 2024
  • the eks cluster games CTF writeup | 05 Aug 2024
  • DoH - dns over https | 02 Aug 2024
  • the big iam challenge CTF writeup | 30 Jul 2024
  • prompt airlines CTF writeup | 28 Jul 2024
  • k8s lan party ctf writeup | 23 Jul 2024