A Capture-the-Flag or “CTF” is a cybersecurity competition designed to test and sharpen security skills through hands-on challenges that simulate real-world situations. MetaCTF offers training in eight different categories: Binary Exploitation, Cryptography, Web Exploitation, Forensics, Reconnaissance, Reverse Engineering, CyberRange, and Other / Miscellaneous. This blog is part of a series that explains what each category covers, why the subject is important, and how to approach these problems.
What is Web Exploitation?
Web exploitation is the act of finding and exploiting vulnerabilities in web applications. Nearly every website or app on your PC or smartphone is a web application, or at least interacts with one via an API. Because almost every company deploys web apps (not just tech companies like Google, but also newspaper publishers and coffee companies), Web exploitation CTF challenges are the most broadly applicable to any given participant.
If your developers do not anticipate how the app could be attacked, a hacker can use web exploitation techniques to trick your app into disclosing confidential information from your database, like private keys, login credentials, or a list of employees.
For example, most apps accept inputs from users, like a link to upload a profile pic. If a hacker inputs a malicious link instead of a link to a photo, they might be able to trick the app into returning your cloud credentials (this type of web exploitation is called a server side request forgery). Then they could do anything from deleting your infrastructure to running up your cloud service bill.
If a hacker knows and inputs the link to your internal employee database instead of a picture and your engineering team did not think how a secure app should respond in this situation, the app might return a list of all of your employees and their login credentials instead of posting a new profile picture
How to solve a Web Exploitation CTF challenge
First, look for the hint in the CTF instructions. For example, if the hint references database concepts or technologies, there’s a good chance that the solution involves SQL injection.
Next, begin probing the app for vulnerabilities. If you think that the vulnerability is on the front end, you can open your browser’s developer tools to look at the app’s behavior, like the sources loaded, requests sent, or endpoints hit. Or read any javascript to search for custom code. If you think the vulnerability is on the backend, use a tool like Burp Suite to view, modify, and resend anything within the HTTP requests. The goal of these probes is to help you build a mental model of how the app works.
Finally, apply the hint. Returning to our database example from before, once you have found one or more functions within the app that accept database calls, like an option to login using your username and password, try performing a SQL injection to see if you can get the database to return the flag or other useful information.
Resources to learn more about Web Exploitation
- The OWASP Top 10 Web Application Security Risks
- GitHub “Awesome Web Security” thread with a massive list of resources
- PortSwigger’s resources for learning and research
Want to learn more about cybersecurity training options for your team? Schedule a demo here or email us at contact@metactf.com.