This CSP bypass technique utilizing SOME attack went under the radar but allowed for a novel way to defeat CSP with only A-z,. characters & windows. Another interesting fact of the specific issue is, WordPress remains vulnerable to this day and affects all WordPress sites (49% of

CVE-2023-46251: Stored DOM XSS in MyBB < 1.8.37 by using BBCode 🔥:

[size='1337px;\'>>\<img/src=ccc/ onerror=alert`1`//id=name //&pt;']eviltext[/size]

It gets executed within the textbox preview so any user looking at it or editing it will trigger it. Patch asap! #bugbountytip

You can now bypass CSP on any website that allows github.com in a script-src or default-src

PoC: <script src=api.github.com/gist/anything?…></script>

Despite character limitations, you can use the Same Origin Method Execution technique we shared to get full XSS.

Can you find the vulnerability here?
10$ reward for first correct answer.

OK, so why does this XSS work?

Octagon Networks researchers discovered PHP servers drop any header if the header has '%0D'. This means if attacker controls char in header they can remove the header. That is the solution to our latest XSS.

The more you know 😉 #bugbountytips

Can you pop alert(1) here?
10$ reward for the first valid solution! 💢🔥

octagon.net/chal/10.php

Solution: 49% of the internet suffer from a 0day CSP bypass because it runs WordPress at a directory or subdomain. Our blog too is WordPress at octagon.net/blog

Attackers can utilize a novel CSP bypass technique we discovered to bypass the policy. #bugbountytips

XSS CTF solution: The CSP policy only allows JS from same domain. We can turn our injection into a valid JavaScript and reinclude it. Kinda like an XSS inception 😉 - congrats for those who solved it. Next round Monday. #bugbountytips

XSS CTF solution: The CSP policy only allows JS from same domain. We can turn our injection into a valid JavaScript and reinclude it. Kinda like an XSS inception 😉 - congrats for those who solved it. Next round Monday. #bugbountytips

There is an XSS here somewhere. 🤔
Can you pop alert() here?
10$ reward for the first valid solution! 💢🔥 attach proof in reply.

octagon.net/chal/8.php #bugbountytips

Can you find the flag by exploiting a vulnerability? 10$ for first solver! 💢

octagon.net/chal/1.php

You can bypass CSP on any website that allows microsoft.com in a script-src

PoC: <script src=microsoft.com/en-us/research…></script>

This works because of the WordPress CSP bypass our engineer found last year:

octagon.net/blog/2022/05/2… #bugbountytip #BugBounty

There is a vulnerability somewhere. 10$ for first solver 👀

SSRF CTF solution: We can only control 3 characters in between https & the allowed URL. little-known trick is: https://0 refers to localhost. We combine ':0/' with directory traversal to bypass this filter to get our flag.

https:0/test.octagon.net/test.php/../../flag 🤑

There is an SSRF here somewhere. Can you use it to steal the flag? 10$ reward. 🔥💀

octagon.net/chal/7.php

Can you find the token here?
10$ for first solver. 🔥💀

octagon.net/chal/6

Can you find the vulnerability here? 10$ for first solver. 🔥

Can you pop alert(1) here?
10$ reward for the first valid solution! 💢🔥

octagon.net/chal/5.php