Home CTF tricks for web expliotation
Post
Cancel

CTF tricks for web expliotation

CTF WEB Tricks for enumeration

  • Different HTTP methods
  • access middle redirect pages via open redirect vulnerability +
  • Checking cookies content
  • Modifying cookies
  • The poor cookie admin authentication
  • Inspection of the website HTML/CSS/JS file
  • Inspect every page after every action
  • Ctrl + F with the flag format
  • Check out available paths via Gobuster
  • bruteforce with the normal admin:admin
  • file trace by looking through static imports(html,css,js,imgs)
  • flag can be scattered in the client side
  • Checking out robots.txt/.htaccess/.DS_Store
  • Any sus long string can be base64(may need to respect its multi-line)
  • md5 checks
  • JS obfuscation (may god help u with it)
  • WebAssembly
  • HTTP Headers(User-Agent,Accept-Language,referer,Date,DNT,X-Forwarded-For,etc…)
  • Command Injection(system command)(don’t forget to URL encode specializes)
  • Command Injection(language command - php, node, python etc.. -)
  • SQL Injection
  • Blind SQL Injection
  • SQL Injection filters bypass
  • SQL database server access and querying
  • ~Sometimes Burpsuite sucks~
This post is licensed under CC BY 4.0 by the author.

-

AngstromCTF 2023 Writeups for web exploitation Part 1

Comments powered by Disqus.