🌐 Web Challenges
Web challenges are generally are vulnerable websites or internet-agencent systems. Attacks that appear often are Cross Site Scripting (XSS) and SQL Injection attacks, to name a few. Often, the goal in a web challenge is login as admin or stealing an admin’s session cookie.
Web challenges are a good place to start if you’ve never done a CTF, as they require less setup and most people know some of the basics of the web and websites work.
You already have this installed! Press
F12 in your browser, and you’re half-way to becoming a
The most important tabs are:
- Elements - View and change the DOM and CSS.
- Network - View and debug network activity.
- Application - Primarily useful for viewing the current page’s cookies
The rest are generally not relevent to solving web challenges.
Burp allows you to intercept and edit requests coming from and going to your browser.
Burp has a rich suite of tools and extentions, but the tool with the most immediate relevency is the Proxy tab. Using Burp’s internal browser (or your browser, although this requires a bit of setup)
When you open the browswer with the
Intercept is on button enabled, you’ll notice that your browswer pauses while loading and an HTTP request shows up in the Burp window:
GET / HTTP/1.1 Host: example.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
This is the request the browser is trying to make. Hit the
Forward button or turn the Intercept off and the browser will continue as normal.
This functionality allows you to bypass interacting with the UI of a website and send data directly to the server. For example, say you’re testing a login page that doesn’t allow certain characters. Using Burp you could make a dummy request, intercept it, and add the illegal characters to send to the server
For more information about using Burp, check out PortSwigger’s tutorial