Web Exploitation

Web exploitation in CTF challenges involves finding and abusing weaknesses in how web applications handle user input, authentication, or file access. This section covers the most common attack surfaces, how to analyze them efficiently, and which tools to use in a competition setting.

• General: reconnaissance and discovery tools for finding directories, sensitive files, and exposed configurations.

• Code Injection: execute arbitrary code via vulnerable functions like eval or exec.
• Command Injection: run OS-level commands through unsanitized system calls.
• SQL Injection: manipulate SQL queries to retrieve or modify database entries.
• NoSQL Injection: exploit JSON‑based databases (e.g., MongoDB) to bypass filters.
• Server‑Side Template Injection (SSTI): abuse template engines (Jinja2, Twig) to execute code.

• IDOR (Insecure Direct Object Reference): manipulate identifiers to access unauthorized data.
• SSRF (Server‑Side Request Forgery): force a server to make internal requests on behalf of the user.
• XXE (XML External Entity): read files or cause server requests via crafted XML entities.
• GraphQL: exploit introspection or poorly secured API queries to extract sensitive data.

• XSS (Cross‑Site Scripting): inject JavaScript into web pages for client‑side code execution.
• JavaScript: analyze and deobfuscate JavaScript for client‑side validation, encoding, or prototype pollution vulnerabilities.

• LFI (Local File Inclusion): read or inject local files via unsanitized include paths.
• PHP: explore common PHP language flaws such as type juggling, weak comparisons, and unsafe methods.
• Python: exploit Flask cookie signatures or insecure pickle deserialization.

• Start with enumeration: identify technologies, directories, and hidden parameters.
• Review public files (e.g., robots.txt, .git/, .env).
• Use proxy tools (Burp, Caido, ZAP) to observe request/response patterns.