Utilizing powerful prototype pollution gadgets to achieve remote code execution in a very small nodejs application

Abusing log4j conversion patterns to leak an environment variable without the usage of JNDI

Another XS leak challenge, this time abusing a server side redirect to extract the flag

solutions for the web challenges I created for idekCTF 2021 (difference checker, fancy notes, generic pastebin challenge, steghide as a service, and jinjail)

a straightforward but interesting xs leak challenge from FwordCTF 2021