A story from a real pentest, where a strange cross-site scripting vulnerability was mistaken for a much more severe server-side template injection.

A Pastebin-driven crypto phishing scam is dissected, revealing obfuscated JavaScript that swaps deposit addresses during exchanges, though blockchain analysis shows little evidence of victims falling for it.