Web

For Web challenges, you’ll be given a link to a webpage, sometimes some source code, and possibly a hint in the challenge title or description. From there, there are many forms the challenge could take on. Web challenges cover a wide range of web-based exploits and tend to focus on bad coding practice, common language vulnerabilities, code injection, and other exploits or web trickery.

Topics

• General/Misc
• Cookies
• SQL Injection
• PHP
• Template Injection
• XSS
• File Upload
• CSRF/SSRF
• XXE

Tools

• Requests - Python library for scripting HTTP requests
• Burpsuite - Collection of tools for testing web app security
• DirBuster - Directory and file name brute-forcer
• SQLMap - Database vulnerability detector and exploiter
• Nmap - Network scanner
• PostBin - Website for collecting HTTP requests

Sites

• OverTheWire/Natas - Web Problems
• Websec - Web Problems