Web CTF Basics | CTF & Challenges

Web challenges are the bread and butter of CTF competitions. They test your ability to find vulnerabilities in web applications and think like an attacker. Let's build a systematic approach to tackling any web challenge!

Web challenges range from "view source" easy to "chain 5 vulnerabilities" hard. The fundamentals here apply to all of them!

First Steps

Web Challenge Methodology

View Source CodeRight-click → View Source (or Ctrl+U)

Check Developer ToolsPress F12 and explore all tabs

Look at robots.txtCommon place for hidden paths

Check for CommentsHTML comments often contain hints or flags

Intercept with BurpExamine full HTTP requests/responses

bash

1606070;"># Quick recon checklist:
2 
3606070;"># 1. View source
4curl http:606070;">//target.com
5606070;"># Or right-click → View Source in browser
6 
7606070;"># 2. Check common files
8curl http:606070;">//target.com/robots.txt
9curl http:606070;">//target.com/sitemap.xml
10curl http:606070;">//target.com/.git/config
11curl http:606070;">//target.com/backup.zip
12curl http:606070;">//target.com/flag.txt
13 
14606070;"># 3. Check response headers
15curl -I http:606070;">//target.com
16 
17606070;"># 4. Directory enumeration
18gobuster dir -u http:606070;">//target.com -w /usr/share/wordlists/dirb/common.txt

Source Code Analysis

html

1<!-- Common places to find flags/hints in source -->
2 
3<!-- HTML comments -->
4<!-- TODO: Remove this before production -->
5<!-- Debug: flag{found_in_comment} -->
6<!-- API Key: abc123 -->
7 
8<!-- Hidden form fields -->
9<input type=606070;">#a5d6ff;">"hidden" name="admin" value="false">
10<input type=606070;">#a5d6ff;">"hidden" name="flag" value="flag{hidden_field}">
11 
12<!-- JavaScript files -->
13<script src=606070;">#a5d6ff;">"/js/app.js"></script>
14<!-- Check these files! They often contain:
15     - API endpoints
16     - Validation logic (bypass client-side!)
17     - Hardcoded secrets
18-->
19 
20<!-- Data attributes -->
21<div data-flag=606070;">#a5d6ff;">"flag{in_data_attribute}">
22 
23<!-- CSS can hide content -->
24<p style=606070;">#a5d6ff;">"display:none">flag{css_hidden}</p>

JavaScript Analysis

Always check JS files! Search for: "flag", "password", "secret", "admin", "api", "endpoint", "key". Beautify minified code with js-beautifier.

Browser DevTools Deep Dive

1606070;"># Network Tab (most important!)
2606070;"># - See all HTTP requests
3606070;"># - Examine request/response headers
4606070;"># - Look at POST data
5606070;"># - Check for API calls
6606070;"># - Watch for XHR/Fetch requests
7 
8606070;"># Application Tab
9606070;"># - Cookies: View and modify
10606070;"># - Local Storage: Sometimes contains flags!
11606070;"># - Session Storage: More data to check
12606070;"># - IndexedDB: Application data
13 
14606070;"># Console Tab
15606070;"># - JavaScript errors might leak info
16606070;"># - Can run JavaScript directly
17606070;"># - Type: document.cookie
18606070;"># - Type: localStorage
19606070;"># - Type: Object.keys(window)
20 
21606070;"># Elements Tab
22606070;"># - Modify HTML in real-time
23606070;"># - Change hidden fields
24606070;"># - Inspect dynamic content
25606070;"># - Find elements hidden via CSS

javascript

1606070;">// Useful console commands
2 
3606070;">// Get all cookies
4document.cookie
5 
6606070;">// Get local storage
7JSON.stringify(localStorage)
8 
9606070;">// List all JavaScript variables
10Object.keys(window)
11 
12606070;">// Find elements containing "flag"
13document.body.innerHTML.match(/flag\{[^}]+\}/g)
14 
15606070;">// Trigger hidden forms
16document.forms[0].submit()
17 
18606070;">// Change input values
19document.querySelector(606070;">#a5d6ff;">'input[name="admin"]').value = "true"

Request Manipulation

bash

1606070;"># Using curl for request manipulation
2 
3606070;"># Basic GET request
4curl http:606070;">//target.com/page
5 
6606070;"># POST request
7curl -X POST -d 606070;">#a5d6ff;">"username=admin&password=test" http://target.com/login
8 
9606070;"># Custom headers
10curl -H 606070;">#a5d6ff;">"Cookie: admin=true" http://target.com/admin
11curl -H 606070;">#a5d6ff;">"X-Forwarded-For: 127.0.0.1" http://target.com/internal
12 
13606070;"># Different content type
14curl -H 606070;">#a5d6ff;">"Content-Type: application/json" -d '{"user":"admin"}' http://target.com/api
15 
16606070;"># Follow redirects
17curl -L http:606070;">//target.com/redirect
18 
19606070;"># See full request/response
20curl -v http:606070;">//target.com

1606070;"># Using Burp Suite
2 
3606070;"># 1. Proxy Tab → Intercept requests
4606070;"># 2. Modify on the fly:
5606070;">#    - Change parameters
6606070;">#    - Modify cookies
7606070;">#    - Add/remove headers
8606070;">#    - Change HTTP method
9 
10606070;"># Common modifications:
11606070;"># - admin=false → admin=true
12606070;"># - role=user → role=admin
13606070;"># - id=1 → id=2 (IDOR)
14606070;"># - User-Agent manipulation
15606070;"># - Accept header manipulation

Client-side validation is not security! If JavaScript prevents an action, bypass it by modifying the request directly with Burp or curl.

Common CTF Tricks

bash

1606070;"># HTTP Methods
2606070;"># Try different methods on endpoints
3curl -X OPTIONS http:606070;">//target.com/admin
4curl -X PUT http:606070;">//target.com/admin
5curl -X DELETE http:606070;">//target.com/admin
6curl -X PATCH http:606070;">//target.com/admin
7 
8606070;"># HTTP Parameter Pollution
9curl 606070;">#a5d6ff;">"http://target.com/page?admin=false&admin=true"
10606070;"># Sometimes the last value wins!
11 
12606070;"># Case sensitivity
13curl http:606070;">//target.com/ADMIN
14curl http:606070;">//target.com/Admin
15curl http:606070;">//target.com/AdMiN
16 
17606070;"># Path traversal in URLs
18curl http:606070;">//target.com/../../../etc/passwd
19curl http:606070;">//target.com/..%2f..%2f..%2fetc/passwd
20 
21606070;"># Null bytes
22curl 606070;">#a5d6ff;">"http://target.com/file.php%00.jpg"
23 
24606070;"># File extensions
25curl http:606070;">//target.com/admin.php
26curl http:606070;">//target.com/admin.php.bak
27curl http:606070;">//target.com/admin.php~
28curl http:606070;">//target.com/admin.php.old

Try Everything

CTF creators often test specific vulnerabilities. If SQL injection doesn't work, try XSS. If XSS doesn't work, try SSRF. The challenge name often hints at the technique!

Common Web Vulns Checklist

1606070;"># Quick vulnerability checklist:
2 
3□ SQL Injection
4  - Try ' in input fields
5  - Check for errors with "
6 
7□ XSS (Cross-Site Scripting)
8  - <script>alert(1)</script>
9  - Check if input is reflected
10 
11□ Command Injection
12  - ; ls
13  - | id
14  - `whoami`
15 
16□ Path Traversal
17  - ../../../etc/passwd
18  - ....606070;">//....//etc/passwd
19 
20□ IDOR (Insecure Direct Object Reference)
21  - Change ID in URL/parameters
22  - Access other users' data
23 
24□ Authentication Bypass
25  - SQL injection in login
26  - Cookie manipulation
27  - JWT vulnerabilities
28 
29□ SSRF (Server-Side Request Forgery)
30  - http:606070;">//127.0.0.1
31  - http:606070;">//localhost
32  - file:606070;">///etc/passwd
33 
34□ File Upload
35  - Bypass extension filters
36  - Upload PHP shell

Knowledge Check

Quick Quiz

Question 1 of 2

Where should you look first in a web CTF challenge?

Key Takeaways

Always view source code first - flags hide in comments
Browser DevTools is your best friend for web challenges
Client-side validation can always be bypassed
Check robots.txt, .git, backup files for hidden content
Challenge names often hint at the vulnerability type
Be systematic - work through the vulnerability checklist

Related Lessons

SQL Injection in CTFs

Burp Suite Basics