WAF bypass and vulnerability chain exploiting parser differentials

Waffle-y Order is a medium-difficulty Web challenge from HackTheBox, involving the exploitation of parser differential vulnerabilities to bypass a regex-based WAF and chain a PHP Object Injection with a Blind XXE to read arbitrary files and exfiltrate data.

You can find the full write-up here!

https://youtu.be/IESwry_l-UU