CSS Injections have always fascinated me. A few months ago, I asked myself: “is it possible to do CSS Exfiltration if default-src ‘self’ is specified in the CSP?” Well, if you’re reading this you already know the answer is yes. Also, I wrote a challenge about this for TRX CTF 2025: Keeper. This post will serve both as a writeup for the challenge and as an explanation of this new “technique”.

This year, I played in the ASIS CTF Finals with @TheRomanXpl0it, and we secured 7th place at the end of the CTF. I decided to write this up because I’ve never seen a similar challenge before. @simonedimaria and I worked on this challenge and solved it after about 8 hours. Overview As the name suggests, this is an XS-Leak challenge. We’re given the source code and there are three endpoints.

TODO

I partecipated to the first edition of CyberSpace CTF with @TheRomanXpl0it. It’s always nice to see some jail challenges so, I decided to write a writeup for the challenge I liked the most: resruby.

I partecipated to the first edition of L3ak CTF with FoocHackz. I solved this challenge, it wasn’t hard but writing a working exploit took me at least one/two hours.

This is my first CVE published by myself. A lot of times people write unsafe regular expressions that can lead to Denial Of Service and this is an example.

This year, for the first time, I partecipated to 0ctf with mhackeroni. Me, @Ricy and @Alemmi solved this challenge, we spent many hours in order to find a working exploit, but it was worth it.

I liked this challenge a lot so I decided to create a writeup (my first, actually) about it. Thanks to the organizers for this wonderful CTF!