ctf-web

Web exploitation techniques for CTF challenges covering injection, authentication, access control, and client-side attacks. Use this skill as a routing and execution guide for web-heavy challenges. Keep the first pass short: map the app, confirm the trust boundary, and only then dive into the detailed technique notes. Python packages (all platforms): Linux (apt): macOS (Homebrew): Go tools (all platforms, requires Go): Manual install: Use field-notes.md once you have confirmed the challenge is truly web-heavy and you need the long exploit catalog. - Covers 20+ attack categories: SQLi, XSS, SSTI, SSRF, XXE, command injection, path traversal, JWT/OAuth/SAML, prototype pollution, deserialization, file upload RCE, and race conditions - Includes quick-reference payloads, filter bypasses, and multi-stage exploitation chains with real CTF examples (HTB, Pragyan, Nullcon) - Supporting markdown files detail server-side attacks (ExifTool, Go rune bypass, Flask debug mode, Docker SSRF chains), client-side techniques (DOM clobbering, XS-Leak, Unicode case folding), and infrastructure auth (CI/CD credential theft, identity provider takeover) - Requires filesystem agent with bash, Python 3, and internet access for tool installation (sqlmap, ffuf, hashcat, ysoserial) - ysoserial — GitHub , requires Java (Java deserialization payloads) - sql-injection.md - SQL injection techniques: auth...