-
Notifications
You must be signed in to change notification settings - Fork 0
Web
The Web category involves exploiting vulnerabilities in applications that run on the world wide web. Sometimes CTF's provide you with the source code of website's server code to help you find vulnerabilities, but sometimes this is not provided and you must use other methods to discover a vulnerability.
There are wide a variety of attacks that can be conducted on websites. One could send well-crafted requests, inject database requests into an insecure server, devise a malicious URL to send to another user, and much more. Many attacks will involve a combination of these techniques!
-
BabyWebon our CTFd server (beginner friendly) -
Insp3ct0ron PicoCTF (similar toBabyWebbut has a bit more) - https://jupiter.challenges.picoctf.org/problem/9670/ -
dont-use-client-side(beginner friendly, illustrates the concept of client-side vs server-side well) - https://jupiter.challenges.picoctf.org/problem/17682/ - More beginner
-
Passthruon our CTFd server -
BabyXSSon our CTFd server -
SQLiLiteon PicoCTF - https://play.picoctf.org/practice/challenge/304
-
-
https://ctf101.org/web-exploitation/overview/
- Describes some common types of attacks
- https://portswigger.net/web-security/
- Open the website in a program like Burp Suite
- Interact with the website as a normal user to get an idea of its purpose
- Read the client source code (View Page Source) to see how it interacts with the server and potentially find hidden information
- Read the server code (if provided) to see how the server handles requests from the client
- Try to find what the goal is (where the flag will be stored) based on source code and context
- If the challenge provides an "admin bot" website that visits any URL you give it, the goal is to probably provide a URL to the bot that makes it perform a certain action or leak certain information when visited
- Look for weak points, such as: JavaScript weirdness, weak type checks, unsanitized user input, unsanitized file paths, SQL injections, XSS injections
- If you encounter some function or language feature in the code that seems like a potential attack vector, Google it! You might discover some nuance about how it works that can aid in your exploit.
- If relevant, use Burp Suite to inspect requests you make and tweak the requests to try to get different results
- Craft an attack plan and execute it. Depending on the situation you will either use tools like Burp Suite, write a solve script, or just manually carry out the attack.
- SQL Injection
- Content Security Policy (CSP)
- Burp Suite (Community Edition) - https://portswigger.net/burp
- Can intercept requests you make to web servers
- Can alter and replicate requests you make to web servers
- webhook - https://webhook.site
- Allows you to create a simple temporary web server that captures any requests made to it
- Great for exfiltrating data
- Allows you to create a simple temporary web server that captures any requests made to it
- requestbin - https://requestbin.com/r
- Similar to webhook, a bit simpler
- ngrok - https://ngrok.com/
- Allows you to tunnel a web server running locally on your computer to the internet
- Useful if you need a server more complicated than a webhook
- Allows you to tunnel a web server running locally on your computer to the internet
Some subtleties about web technology:
One may want to store a user's session data entirely inside of their cookie rather than on the server. This is useful for when creating a challenge where you want to save user state, but do not have a persistent server or database available. For node.js, two common middleware libraries for doing this are cookie-session (by Express) and client-sessions (by Mozilla). Interestingly, while the former is much more popular, it does not encrypt the data in the cookie, while the latter does. So, if the data in the user's cookie should be hidden from them, make sure to use client-sessions. Source: https://github.com/expressjs/cookie-session/issues/9