A comprehensive web exploitation guide covering everything from SQLi and SSTI to OAuth bypasses and prototype pollution. The workflow is smart: map the app, confirm trust boundaries, then dive into technique docs. You get 15+ markdown references spanning injection, deserialization, auth manipulation, and client-side attacks, plus prereq commands for sqlmap, ffuf, flask-unsign, and ysoserial. The field notes pull from real CTF write-ups (CSAW, PlaidCTF, 35C3) with specifics like Xalan XSLT seed guessing and SoapClient CRLF smuggling. It tells you when to pivot to pwn, crypto, or forensics skills if the challenge shifts. Best for HTTP-first targets where the flag lives in a database, API response, or behind broken auth rather than native binaries.
npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-web