L3ak

Exploits window.opener with SOP disabled to bypass CSRF protections and read sensitive data from the admin’s tab via DOM access.

A prototype pollution vulnerability in a custom parser enables bypassing sanitize-html, allowing an XSS via <iframe onload>. Exploitation relies on unsafe object property checks and inherited config values.

The application is vulnerable to a side-channel attack known as XS-Search, a subclass of XS-Leaks. By observing differences in server responses based on 3-character search queries, we reconstructed the flag one character at a time.