web ctf guide

how to approach web exploitation challenges.

recon · common vuln classes · tools · methodology

first steps for any web challenge

  1. 1.read the source code if it's given — CTF web challenges almost always include source. the vulnerability is usually obvious once you read carefully.
  2. 2.browse the app manually first. click everything. look for forms, URL parameters, API calls, cookies, and headers.
  3. 3.check robots.txt, /admin, /debug, /.git, /.env — exposed files are common in CTFs.
  4. 4.view page source and check JavaScript files for hidden endpoints, API keys, or client-side validation you can bypass.
  5. 5.open browser dev tools — network tab shows all requests. check for interesting headers, response data, or endpoints not visible in the UI.

match the symptom to the vuln class

  • input reflected in responseXSS — try <script>alert(1)</script>. if filtered, try variations like <img src=x onerror=alert(1)>.
  • input goes into a database querySQL injection — test with a single quote ' and look for SQL errors or behavioral change. use sqlmap if manual testing confirms it.
  • file or path in a URL parameterLFI — try ?file=../../../etc/passwd. also try PHP wrappers like php://filter/convert.base64-encode/resource=index.php.
  • server fetches a URL you controlSSRF — redirect to internal services. try http://127.0.0.1, http://169.254.169.254 (AWS metadata), or file:///etc/passwd.
  • template syntax in outputSSTI — test with {{7*7}}, ${7*7}, <%= 7*7 %>. identify the engine (Jinja2, Twig, Freemarker) and look up its RCE payload.
  • predictable ID or resource identifierIDOR — change /api/order/123 to /api/order/124. check if you can access other users' data.
  • user input in a shell commandcommand injection — try ; id, | whoami, $(id), or `id`. look for upload functionality that processes filenames.

useful tools

  • Burp Suite — intercept and modify requests, scan for vulns, repeat requests with modifications. essential for web CTF.
  • sqlmap — automated SQL injection testing. use once you\'ve confirmed the injection point manually.
  • ffuf / gobuster — directory and file brute-forcing. find hidden endpoints and files.
  • curl — manual request crafting from the command line. fast for testing headers, cookies, and method changes.
  • CyberChef — decode base64, URL encoding, JWT tokens, and other encoded data quickly.
web hint referenceget web hints →