• Learn
  • Challenges
  • Meetings
  • HackPack CTF 2024
  • Research Internships
Loading...
×

🌐 Web Challenges

Web challenges are generally are vulnerable websites or internet-agencent systems. Attacks that appear often are Cross Site Scripting (XSS) and SQL Injection attacks, to name a few. Often, the goal in a web challenge is login as admin or stealing an admin’s session cookie.

Web challenges are a good place to start if you’ve never done a CTF, as they require less setup and most people know some of the basics of the web and websites work.

Must-Have Tools

Browser Devtools

You already have this installed! Press F12 in your browser, and you’re half-way to becoming a l33t h4x0r.

The most important tabs are:

  • Elements - View and change the DOM and CSS.
  • Console - View messages and run JavaScript from the Console.
  • Network - View and debug network activity.
  • Application - Primarily useful for viewing the current page’s cookies

The rest are generally not relevent to solving web challenges.

Burp Suite

Burp allows you to intercept and edit requests coming from and going to your browser.

Burp has a rich suite of tools and extentions, but the tool with the most immediate relevency is the Proxy tab. Using Burp’s internal browser (or your browser, although this requires a bit of setup)

When you open the browswer with the Intercept is on button enabled, you’ll notice that your browswer pauses while loading and an HTTP request shows up in the Burp window:

GET / HTTP/1.1
Host: example.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

This is the request the browser is trying to make. Hit the Forward button or turn the Intercept off and the browser will continue as normal.

This functionality allows you to bypass interacting with the UI of a website and send data directly to the server. For example, say you’re testing a login page that doesn’t allow certain characters. Using Burp you could make a dummy request, intercept it, and add the illegal characters to send to the server

POST /login HTTP/1.1
Host: www.example.com
Connection: close
Content-Length: 73
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: www.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

email=admin@example.com &password=%27AND 1=1;-- SQL injection, anyone?

For more information about using Burp, check out PortSwigger’s tutorial