Web Exploitation Intro

# Web Exploitation Intro ### What is web exploitation? To quote CTF101.org, "Websites all around the world are programmed using various programming languages. While there are specific vulnerabilities in each programming langrage that the developer should be aware of, there are issues fundamental to the internet that can show up regardless of the chosen language or framework. These vulnerabilities often show up in CTFs as web security challenges where the user needs to exploit a bug to gain some kind of higher level privilege." ### So let's start with the internet The process by which your computer can access websites can actually be pretty simple. Let's break it down. To start, your computer sends out an http request. There are different methods (such as GET and POST) but the important part is that the server that hosts the website you're trying to access will respond by sending HTML (and other information) which your computer then renders into a page. ### Inspector I'm sure you've tried it; you've likely opened up inspector and been overwhelmed by the information. But it can be crucial in CTF's to see some of the information that's normally hidden away from prying eyes. Let's go over some of the tabs (these are based off my inspector in Firefox). | Tab | Function | | --- | --- | | Inspector | Shows the html and style your computer is rendering | | Console | Allows running of JavaScript commands | | Network | Keeps track of HTTP requests | | Style Editor | Allows viewing and changing of CSS | | Storage | Shows things held in memory for site such as cookies | ### Curl Curl is a command you can use in your terminal to make a single, uninteractive request to a domain. For example, "curl google.com" will fetch a response from google. There's a lot of useful things you can do, such as changing request type or showing http requests/responses so if you ever need, do "curl --help" to get a list of options. ### Flask Flask was used to make today's challenges. The best way to learn it (at least the basics) is to read through the [Flask Quickstart Guide](https://flask.palletsprojects.com/en/stable/quickstart/).