<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Membership Test Attack on CyberSecurity Elite</title><link>https://cybersecurityelite.com/tags/membership-test-attack/</link><description>Recent content in Membership Test Attack on CyberSecurity Elite</description><image><title>CyberSecurity Elite</title><url>https://cybersecurityelite.com/images/og-default.png</url><link>https://cybersecurityelite.com/images/og-default.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Thu, 16 Jul 2026 13:41:29 +0200</lastBuildDate><atom:link href="https://cybersecurityelite.com/tags/membership-test-attack/index.xml" rel="self" type="application/rss+xml"/><item><title>BroncoCTF 2026 Web + Crypto Writeup: 6 Challenges Solved</title><link>https://cybersecurityelite.com/ctf-writeups/broncoctf-2026-web-crypto-writeup/</link><pubDate>Thu, 16 Jul 2026 10:55:00 +0000</pubDate><guid>https://cybersecurityelite.com/ctf-writeups/broncoctf-2026-web-crypto-writeup/</guid><description>Step-by-step BroncoCTF 2026 web and crypto writeup — four web challenges (Forbidden Archives: SQLite LIKE injection where the app leaks the query tail via a quote reflection and its naive keyword stripper turns ORDER into DER but the payload %&amp;#39;) AND is_secret=1 -- uses the app&amp;#39;s own visibility column against it; Lovely Login: robots.txt disallows /security (a leftover TODO-remove page spelling out password = reverse(username)) AND carries a base64 comment amVmZixzYXJhaCxhZG1pbixndWVzdA== = jeff,sarah,admin,guest with only admin:nimda returning the flag; Super Secure Server: /api/config exposes plaintext credentials so the browser can do a client-side password compare, and /login blindly trusts {authenticated:true} in the POST body, signs a session cookie, and returns the /flag redirect; Unblur Me: 500-derivative calculus gate is pure CSS filter:blur(20px) with the sharp PNG fetched unconditionally from /api/v1/internal/fetch-config-blob) and two crypto challenges (Blorg Multiplier: MD5-hex-digest command dispatcher with an uppercase show trap and a program feature that lets a registered command name recursively invoke a space-separated command list, weaponised by registering a 128-byte MD5 collision block as the program name so the sibling collision block matches by hash but not by string and falls through to the flag branch; Probably Unbreakable: XOR OTP whose key bytes are drawn only from a 64-character alphabet [a-zA-Z0-9_-], so each ciphertext byte becomes a membership test on p XOR c and 127 samples collapse every flag position to one candidate).</description></item></channel></rss>