This is the first writeup i wrote back in 2022, just after the RomHack CTF.
ETag reuse and Firefox’s 304 caching flaw enable a CSP sandbox bypass
At HTB Cyber Apocalypse 2025, I chained multiple exploits—from web SSRF and header injection to stored XSS and PostgreSQL RCE—to gain full remote code execution. This post details both the unintended and intended approaches.