From Intigriti challenge to a Vue.js script gadget

Intigiriti’s November challenge by IvarsVids was about a Vue.js one-pager that reflected user input with some replacements. After visiting the challenge homepage at we quickly notice it reflects s query parameter not escaping HTML less than and greater than signs resulting in HTML injection.

Web is hard, reARMSEC aka ARMSec 2020

At this year’s Armsec seventh annual information security conference - reARMSEC, I made a small presentation (Google slides, PDF version) on why the modern web is hard describing HackerOne’s top 10 most impactful and rewarded vulnerability types for 2020. As for the real-life examples of the bugs, I gathered reports mostly from HackerOne’s Hacktivity.