Rating:

(Written in Simplified Chinese) Self-xss + Django open redirect + broken auth system.

Original writeup (https://blog.cal1.cn/post/BCTF%202017%20web%20writeup).