Some hosting providers implemented http-01 having one part of the challenge key reflected in the response. This resulted in a huge amount of websites being vulnerable to XSS just because of their quirky implementation of the http-01 ACME-challenge.
A couple of weeks ago I put up a small challenge for a specific XSS problem, called Twins of Ten. The idea was to find a payload that was limited to ten characters, these characters would repeat once and you could expand it to how many pairs you wanted. The challenge was to both find the shortest payload but also find a way around the XSS Auditor inside Chrome / Safari.
A while ago I found a vulnerable endpoint with some fun limitations. I though it could be exciting to see how you would go about breaking it.
Monday 12:04 AM. While doing some Sunday night research – also known as “bug bounty hunting” – I stumbled upon a fun challenge that I …