Posts

All the articles posted by the community.

• Supply Chain & AI Rules File Backdoor: Typosquat → Poisoned Skill → Runtime Backdoor

  kOaDT

  4 May, 2026

  A two-flag chain that walks an attacker from a developer's stray dev-comment, through a typosquatted npm package, into an AI rules file dropped on disk, ending with a runtime backdoor the AI agent silently injected into the application's admin API.

• Cross-Site Request Forgery on the Admin Order Update Endpoint

  kOaDT

  25 Apr, 2026

  The admin order update endpoint authenticates via cookie and validates nothing else, allowing any same-session page to flip an order's status on the admin's behalf.

• Insecure Randomness: recovering a gift card code from its timestamp

  kOaDT

  22 Apr, 2026

  OopsSec Store derives gift card codes from a linear congruential generator seeded with the card's creation timestamp. The timestamp is exposed to the buyer with millisecond precision, which is all you need to reproduce the code and redeem the card from a different account.

• Path Traversal: Escaping the Documents Directory via the Files API

  kOaDT

  22 Apr, 2026

  Exploiting an unsanitized file path parameter in OopsSec Store's documents API to read files outside the intended directory and retrieve a flag.

• Reading Secrets From the Browser: The NEXT_PUBLIC_ Trap in Next.js

  kOaDT

  18 Apr, 2026

  Exploiting a misused NEXT_PUBLIC_ environment variable in OopsSec Store to recover a payment secret embedded in the client JavaScript bundle.

• Leaking Secrets Through Error Messages: Exploiting a Verbose API Debug Response

  kOaDT

  4 Apr, 2026

  A data export endpoint dumps system diagnostics when it hits an invalid field. Feed it garbage, read the debug output, grab the flag.

• Race Condition: abusing a single-use coupon with concurrent requests

  kOaDT

  27 Mar, 2026

  OopsSec Store validates a coupon and increments its counter in two separate database calls. Send enough concurrent requests and several slip through the check before any of them completes the increment.

• Middleware Authorization Bypass: Skipping Next.js Auth with a Single Header (CVE-2025-29927)

  kOaDT

  21 Mar, 2026

  Exploiting CVE-2025-29927 to bypass Next.js middleware-based authentication using the x-middleware-subrequest internal header, accessing a protected internal status page without credentials.

• Malicious MCP Server: Poisoning an AI Agent Through Tool Responses

  kOaDT

  14 Mar, 2026

  We host a malicious MCP server whose tool responses trick OSSBot into calling a restricted internal tool and leaking the flag.

• Padding oracle attack: forging encrypted share tokens

  kOaDT

  13 Mar, 2026

  A padding oracle in OopsSec Store's share feature leaks whether decryption produced valid PKCS#7 padding. That's enough to forge a token for an internal report and grab the flag.