Earlier this week I found a vibe coded web calculator, that allowed code injection. I thought this would be interesting, finding out which functions would be callable and how to exfiltrate data in a plot.
Then I realized the input was evaled and the you could get back text by throwing an exception. Where is the fun in that?
The biggest challenges where that everything got converted to lowercase and the json encoding was a bit broken so I had to do some f-string manipulation.
Earlier this week I found a vibe coded web calculator, that allowed code injection. I thought this would be interesting, finding out which functions would be callable and how to exfiltrate data in a plot.
Then I realized the input was evaled and the you could get back text by throwing an exception. Where is the fun in that?
The biggest challenges where that everything got converted to lowercase and the json encoding was a bit broken so I had to do some f-string manipulation.