CIT CTF 2026 · Debug Disaster: a leaky debug page and a forgotten route
Flask debug=True leaks more than tracebacks — it leaked the source code of a forgotten route that dumps .env in cleartext.
CTFcit-ctf-2026web
#flask
2 posts
CIT CTF 2026 · A Massive Problem: mass assignment via dict.update
The challenge name spells it out. At register time, record.update(incoming) lets the role field in the request body overwrite the hard-coded default.
CTFcit-ctf-2026web