Basic Web Exploitation CTF challenges will frequently require students to use Developer Tools to inspect the browser source code, adjust the user’s cookies or view the connection certificate. Look for commented lines within the of code that contain clues and/or flags. Basic SQL injection challenges may also be included.

  1. Use the Browser’s Developer Tools: Use the ‘Developer Tools’ available in ChromeFirefoxIE or Safari to inspect the browser code, run javascript and alter cookies:
    • Sources Tab  – Look for CTF flags or related info in the JavaScript, CSS and HTML source files.
  2. Check for Anonymous FTP Logon – Do a netmap port scan to see if the web site has an open FTP port (port 21) that can be exploited:
    • nmap -A -T4 []
  3. Perform a Path Traversal –  find files and directories that are outside the root folder:
    • URL update: use “dot-dot-slash (../)” or [directory name] to the URL (e.g., ).
    • /robots.txt:  review this file for pages/files that are hidden from search engine robots (e.g., )
    • Dirbuster Tool: use the provided wordlist to brute force discover hidden directories(Kali)
    • Perform a SQL Injection (SQLI) – Basic SQL injection challenges will most likely be associated with the WHERE clause of a SELECT query.  Below are some basic techniques:
      1. A) SQLI – Use Comment Statement: add two connected dashes ‘–‘ to comment out conditions and pull information:
        • e.g., Alter a URL to bypass aditional conditions:’
        • e.g., In a user namse prompt enter: administrator’–
        • which results in SELECT * FROM users WHERE username = ‘admin’–‘ AND password = ”)
      • B) Use ‘Union‘ Statement: add an add’l query to an existing SQL statement (e.g., select A from table1 UNION select B from table2)
      • C) Append a True ‘OR’ Statement: Submit a Boolean ‘OR‘ condition with a true statement (1=1) in an input field (e.g., user name prompt) to get an informative error message that may list all records in the table. The value is wrapped into:
          • Note1: https statement above includes one single quote and ends with – – two dashes
          • Note2: https statement results in : SELECT * FROM products WHERE category = ‘Gifts’ OR 1=1–‘
        2. select * from [table] where username = “or 1=’1′
        3. select fieldlist from [table] were field = ‘anything’ OR ‘x’=’x’;
        4. Note: Find the tables in most SQL DBs by running (SELECT * FROM information_schema.tables )