███╗   ██╗ ██████╗  ██████╗ ██████╗ ██╗   ██╗██╗     ███████╗
████╗  ██║██╔═══██╗██╔═══██╗██╔══██╗██║   ██║██║     ╚══███╔╝
██╔██╗ ██║██║   ██║██║   ██║██║  ██║██║   ██║██║       ███╔╝ 
██║╚██╗██║██║   ██║██║   ██║██║  ██║██║   ██║██║      ███╔╝  
██║ ╚████║╚██████╔╝╚██████╔╝██████╔╝╚██████╔╝███████╗███████╗ 
╚═╝  ╚═══╝ ╚═════╝  ╚═════╝ ╚═════╝  ╚═════╝ ╚══════╝╚══════╝
                                                                 
    

What are CTFs???

For those of you who don’t know, a CTF, or Capture The Flag (no, not the sport) is an online hacking game where the goal is to find your way through various systems to find a ‘flag’, or password to solving a level in the game. It is often played by security professionals and enthusiasts alike to practice their skills and most importantly, learn new ones along the way as they play. The games come in a couple categories: forensics, cryptography, misc., binary exploitation (AKA pwn, which so many guys here are suckers for!), and web.
So, the security team that I am active in here on campus was in need of someone who can complete web CTF challenges in particular, since there was an immense lack of that (because EVERYONE wants to do pwn and binary exploits mainly. For real). And given I’ve spent way too much time on the Internet as a kid and was on and off with web challs and CTFs over the years, I figured, why not take it seriously this time? Plus, DEFCON’s Qualifiers are coming up right now, and I’d really like to contribute and compete somehow.

A Few Good CTF Websites to Start Off In

I first found Defend The Web! which is a terrific terrific (and I cannot stress enough, TERRIFIC) site that offers great web challenges for beginners as well as a forum to discuss and offer hints (during a challenge) and solutions (after you solve a challenge). They are fun if not brain-stumping, and get you to do a lot of Googling (which is okay by the way! You aren’t expected to know EVERYTHING at first) to solve the challs. So far I’m almost 50% through, and can’t wait to go through more.
Then through a lot of my friends’ recommendation, I started PicoCTF which is a CTF game aimed at high schoolers and beginners. It offers a retro 8-bit like Unity game with a storyline to interact with the challenges as you solve them, which adds an extra layer of fun to approaching them in my opinion. I sought out the web exploitation challenges in particular, which start off really easy, much like Defend The Web, and then get progressively harder with having to Google a lot. However, the best hints are in the title of the challs themselves often, when it comes to Pico.

Techniques

So! I’ll get into the nitty gritty and explain the common techniques I’ve had to use in both those games:

<html>                                                                            
  <form action="link to website here" method="post">
     <label for="name">Password:</label><br/>
     <input type="text" name="password" /><br><br>
     <input type="submit" value="Submit">
     </form>
  </html>