ctf-web

This file is a detailed offensive security/CTF writeup describing many server-side vulnerabilities with PoC payloads and detection guidance. It contains explicit exploit techniques (command injection via ExifTool DjVu, SSRF→Docker RCE, Next.js Flight deserialization RCE, XXE via external DTDs, etc.) and shows how untrusted inputs flow into dangerous sinks. The content is not an obfuscated malicious module but is high-risk educational material that could be reused by attackers against vulnerable systems. There is no evidence of hidden runtime malware inside this text alone, but operationalizing the instructions against real targets would enable serious compromise.

This document is an offensive security cheat sheet: a comprehensive catalog of client-side attack patterns and exploitation recipes (XSS payloads, sanitization bypasses, admin-bot/javascript: navigation attacks, JPEG+HTML polyglots, timing oracles, cache poisoning, shadow DOM escapes, etc.). It contains numerous explicit exfiltration payloads and step-by-step instructions that can be used to attack real web applications and admin/bot workflows. The content itself is not obfuscated and does not perform malicious actions by itself, but it provides high-fidelity operational guidance that can be misused. Treat this as high-risk instructional material — suitable for red-team/CTF use and defender training, but dangerous if used against production systems without authorization.

This file is an offensive security writeup/CTF cheat sheet describing many real-world authentication and access-control attack techniques. It contains actionable instructions to forge tokens, abuse key-loading behaviors (jwk/jku/kid), perform path traversal and memory reads, bypass proxies via encoding, exploit misconfigured CORS, and jailbreak LLMs. The document itself is not obfuscated and does not contain self-executing malware, but it is high-risk educational material that could be misused. If you see the patterns described in your application (e.g., jwt.decode without verification, accepting token-provided keys or URLs, unsanitized KID usage, exposed public keys used for decryption without signature/authentication, reflected ACAO with credentials), treat them as serious vulnerabilities and remediate promptly.

SUSPICIOUS: purpose and capabilities are internally aligned as a CTF exploitation guide, so this is not disguised malware, but it is a high-risk offensive-security skill. It meaningfully enables autonomous exploitation, external callbacks, and data exfiltration patterns, including webhook.site usage, so it should be treated as dangerous despite coherent documentation.