Lab Vulnerabilities
Stored XSS in Captions
Video caption/title renders innerHTML ā try <img src=x onerror=alert(1)>
SSRF via Avatar URL
POST /upload accepts external avatar URL ā server fetches it directly
Token Exposed in Storage
tt_session in localStorage ā no HttpOnly flag
Rate Limit Bypass
POST /api/like ā no rate limit, unlimited likes