web-security
Web Security Skill
Quick Workflow
Progress:
- [ ] Identify technology stack
- [ ] Check common files (robots.txt, .git)
- [ ] Test injection points (SQLi, XSS, SSTI)
- [ ] Check authentication/session flaws
- [ ] Develop exploit
- [ ] Extract flag
Quick Recon
# Directory enumeration
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://target/FUZZ -w wordlist.txt
# Technology detection
whatweb http://target
curl -I http://target
# Check robots.txt, .git exposure
curl http://target/robots.txt
curl http://target/.git/HEAD
Vulnerability Reference
| Vulnerability | Reference File |
|---|---|
| SQL Injection | reference/sqli.md |
| XSS | reference/xss.md |
| SSTI | reference/ssti.md |
| Command Injection | reference/command-injection.md |
| SSRF / Path Traversal | reference/ssrf-lfi.md |
| Auth Bypass / Deserialization | reference/auth-deser.md |
Tools Quick Reference
| Tool | Purpose | Command |
|---|---|---|
| sqlmap | SQLi automation | sqlmap -u URL --dbs |
| commix | Command injection | commix -u URL |
| tplmap | SSTI automation | tplmap -u URL |
| ffuf | Fuzzing | ffuf -u URL/FUZZ -w wordlist |
| Burp Suite | Proxy/intercept | GUI |
| jwt_tool | JWT attacks | jwt_tool TOKEN |
More from kiwamizamurai/cctf
mobile-security
Reverses and exploits mobile applications. Use when working with Android APK files, iOS IPA files, mobile app reversing, Frida hooking, or app security analysis challenges.
28osint
Gathers intelligence from public sources. Use when searching for usernames, geolocating images, investigating social media, analyzing domains, or solving information gathering challenges.
19pyjail
Escapes Python sandbox restrictions. Use when working with restricted Python eval/exec environments, sandbox escapes, filtered input challenges, or Python jail challenges.
9networking
Analyzes network traffic and exploits protocols. Use when working with PCAP files, Wireshark captures, packet analysis, protocol exploitation, traffic forensics, or data exfiltration detection.
7crypto-analysis
Breaks cryptographic systems and decrypts ciphertext. Use when working with RSA, AES, XOR, classical ciphers, hash functions, or when challenge involves encryption, decryption, keys, or mathematical crypto attacks.
7binary-analysis
Analyzes binary files for vulnerabilities and develops exploits. Use when working with ELF/PE executables, pwn challenges, buffer overflow, heap exploitation, ROP chains, format string bugs, or shellcode development.
7