Tags: web 


The vulnerability of this challenge is we could change the URL for the remote widget to our host. So, we could create a malicious widget to create a widget and the application will deserialize our malicious widget. idk about the name of this vulnerability, perhaps we could call it widget hijacking ¯\\\_(ツ)_/¯


Original writeup (https://nyxsorcerer.github.io/write-up-ctf-defcon-2022-quals-discoteq/).