How Ctf Web fits into a Paperclip company.

Ctf Web drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md152 linesmarkdown
Expand
1---2name: ctf-web3description: Provides web exploitation techniques for CTF challenges. Use when the target is primarily an HTTP application, API, browser client, template engine, identity flow, or smart-contract frontend/backend surface, including XSS, SQLi, SSTI, SSRF, XXE, JWT, auth bypass, file upload, request smuggling, OAuth/OIDC, SAML, prototype pollution, and similar web bugs. Do not use it for native binary memory corruption, reverse engineering of standalone executables, disk or memory forensics, or pure cryptanalysis unless the web flaw is still the main path to the flag.4license: MIT5compatibility: Requires filesystem-based agent (Claude Code or similar) with bash, Python 3, and internet access for tool installation.6allowed-tools: Bash Read Write Edit Glob Grep Task WebFetch WebSearch7metadata:8  user-invocable: "false"9---10 11# CTF Web Exploitation12 13Use this skill as a routing and execution guide for web-heavy challenges. Keep the first pass short: map the app, confirm the trust boundary, and only then dive into the detailed technique notes.14 15## Prerequisites16 17**Python packages (all platforms):**18```bash19pip install sqlmap flask-unsign requests20```21 22**Linux (apt):**23```bash24apt install hashcat jq curl25```26 27**macOS (Homebrew):**28```bash29brew install hashcat jq curl30```31 32**Go tools (all platforms, requires Go):**33```bash34go install github.com/ffuf/ffuf/v2@latest35```36 37**Manual install:**38- ysoserial — [GitHub](https://github.com/frohoff/ysoserial), requires Java (Java deserialization payloads)39 40## Additional Resources41 42- [sql-injection.md](sql-injection.md) - SQL injection techniques: auth bypass, UNION extraction, filter bypasses, second-order SQLi, truncation, race-assisted leaks, INSERT ON DUPLICATE KEY UPDATE password overwrite, innodb_table_stats WAF bypass43- [server-side.md](server-side.md) - PHP type juggling, php://filter LFI, Python str.format traversal, SSTI (Jinja2, Twig, ERB, Mako, EJS, Vue.js, Smarty), SSRF (Host header, DNS rebinding, curl redirect, unescaped-dot regex, SNI FTP smuggling, mod_vhost_alias), PHP hash_hmac NULL44- [server-side-2.md](server-side-2.md) - XXE (basic, OOB, DOCX upload), XML injection via X-Forwarded-For, PHP variable variables, PHP uniqid predictable filename, sequential regex replacement bypass, command injection (newline, blocklist, sendmail CGI, multi-barcode, git CLI), GraphQL injection (introspection, batching, interpolation)45- [server-side-exec.md](server-side-exec.md) - Direct code execution paths, upload-to-RCE, deserialization-adjacent execution, LaTeX injection, header and API abuses46- [server-side-exec-2.md](server-side-exec-2.md) - More execution chains: SQLi fragmentation, path parser tricks, polyglot uploads, wrapper abuse, filename injection, BMP pixel webshell with filename truncation47- [server-side-deser.md](server-side-deser.md) - Java/Python/PHP deserialization and race-condition playbooks, PHP SoapClient CRLF SSRF via deserialization48- [server-side-advanced.md](server-side-advanced.md) - Advanced SSRF, traversal, archive, parser, framework, and modern app-server issues, Nginx alias traversal49- [server-side-advanced-2.md](server-side-advanced-2.md) - Docker API SSRF, Castor/XML, Apache expression reads, parser discrepancies, Windows path tricks, rogue MySQL server file read50- [server-side-advanced-3.md](server-side-advanced-3.md) - Part 3 (CSAW/35C3/ASIS/PlaidCTF 2018): WAV polyglot upload, multi-slash URL `path.startswith` bypass, Xalan XSLT `math:random()` seed guess, SoapClient `_user_agent` CRLF method smuggling, `gopher:///` no-host URL scheme bypass, SSRF credential leak via attacker-specified outbound URL51- [server-side-advanced-4.md](server-side-advanced-4.md) - Part 4: WeasyPrint SSRF/file read (CVE-2024-28184), MongoDB regex/$where blind oracle, Pongo2 Go template injection, ZIP PHP webshell, basename() bypass, wget CRLF SSRF→SMTP, Gopher SSRF to MySQL blind SQLi, React Server Components Flight RCE (CVE-2025-55182), AMQP/TLS interception via sslsplit+arpspoof, CairoSVG XXE, Bazaar repo reconstruction52- [client-side.md](client-side.md) - XSS, CSRF, cache poisoning, DOM tricks, admin bot abuse, request smuggling, paywall bypass53- [client-side-advanced.md](client-side-advanced.md) - CSP bypasses, Unicode tricks, XSSI, CSS exfiltration, browser normalization quirks, postMessage null origin bypass54- [auth-and-access.md](auth-and-access.md) - Auth/authz bypasses, hidden endpoints, IDOR, redirect chains, subdomain takeover, AI chatbot jailbreaks55- [auth-and-access-2.md](auth-and-access-2.md) - Part 2 (2018-era): `std::unordered_set` bucket collision auth bypass, `nodeprep.prepare` Unicode homograph username collision, SRP A=0/A=N auth bypass, ArangoDB AQL MERGE privilege escalation56- [auth-jwt.md](auth-jwt.md) - JWT/JWE manipulation, weak secrets, header injection, key confusion, replay57- [auth-infra.md](auth-infra.md) - OAuth/OIDC, SAML, CORS, CI/CD secrets, IdP abuse, login poisoning58- [node-and-prototype.md](node-and-prototype.md) - Prototype pollution, JS sandbox escape, Node.js attack chains59- [web3.md](web3.md) - Solidity and Web3 challenge notes60- [cves.md](cves.md) - CVE-driven techniques you can match against challenge banners, headers, dependency leaks, or version strings61- [field-notes.md](field-notes.md) - Long-form exploit notes: quick references for SQLi, XSS, LFI, JWT, SSTI, SSRF, command injection, XXE, deserialization, race conditions, auth bypass, and multi-stage chains62 63## When to Pivot64 65- If the target is a native binary, custom VM, or firmware image, switch to `/ctf-reverse` first.66- If the HTTP bug only gives you code execution and the hard part becomes memory corruption or seccomp escape, switch to `/ctf-pwn`.67- If the "web" challenge really turns on JWT math, custom MACs, or crypto primitives, switch to `/ctf-crypto`.68- If the web challenge involves analyzing logs, PCAPs, or recovering artifacts from a web server, switch to `/ctf-forensics`.69- If the challenge requires gathering intelligence from public web sources, DNS records, or social media before exploitation, switch to `/ctf-osint`.70 71## First-Pass Workflow72 731. Identify the real boundary: browser only, backend only, mixed app, or auth flow.742. Capture one normal request/response pair for every major feature before fuzzing.753. Enumerate hidden functionality from JS bundles, response headers, routes, and alternate methods.764. Classify the likely bug family: injection, authz, parser mismatch, upload, trust proxy, state machine, or client-side execution.775. Build the smallest proof first: leak, bypass, or primitive. Save full exploit chaining for later.78 79## Quick Start Commands80 81```bash82# Recon83curl -sI https://target.com84ffuf -u https://target.com/FUZZ -w wordlist.txt85curl -s https://target.com/robots.txt86 87# SQLi quick test88sqlmap -u "https://target.com/page?id=1" --batch --dbs89 90# JWT decode (no verification)91echo '<token>' | cut -d. -f2 | base64 -d 2>/dev/null | jq .92 93# Cookie decode (Flask)94flask-unsign --decode --cookie '<cookie>'95flask-unsign --unsign --cookie '<cookie>' --wordlist rockyou.txt96 97# SSTI probes98curl "https://target.com/page?name={{7*7}}"99curl "https://target.com/page?name={{config}}"100 101# Request inspection102curl -v -X POST https://target.com/api -H "Content-Type: application/json" -d '{}'103```104 105## First Questions to Answer106 107- Is the flag likely in the browser, an API response, a local file, a database row, or an internal service?108- Does the app trust user-controlled data in templates, redirects, file paths, headers, serialized objects, or background jobs?109- Are there multiple parsers disagreeing with each other: proxy vs app, URL parser vs fetcher, sanitizer vs browser, serializer vs filter?110- Can you turn the bug into a smaller primitive first: read one file, forge one token, call one internal endpoint, trigger one bot visit?111 112## High-Value Recon Checks113 114- Read the HTML, inline scripts, and bundled JS before guessing the API surface.115- Compare what the UI submits with what the backend accepts; optional JSON fields often unlock hidden paths.116- Check obvious metadata and helper paths early: `/robots.txt`, `/sitemap.xml`, `/.well-known/`, `/admin`, `/debug`, `/.git/`, `/.env`.117- Try alternate verbs and content types on interesting routes: `GET`, `POST`, `PUT`, `PATCH`, `TRACE`, JSON, form, multipart, XML.118- Treat file upload, PDF/export, webhook, OAuth callback, and admin bot features as likely exploit multipliers.119 120## Fast Pattern Map121 122- SQL errors, odd filtering, or state-dependent DB behavior: start with [sql-injection.md](sql-injection.md).123- Templating, file reads, SSRF, command execution, XML, or parser bugs: start with [server-side.md](server-side.md) and [server-side-exec.md](server-side-exec.md).124- XSS, CSP bypass, admin bot, client routing, DOM issues, or scriptless exfiltration: start with [client-side.md](client-side.md).125- Session forgery, hidden admin routes, JWT, OAuth, SAML, or weak trust boundaries: start with [auth-and-access.md](auth-and-access.md), [auth-jwt.md](auth-jwt.md), and [auth-infra.md](auth-infra.md).126- Node.js apps, prototype pollution, VM sandboxes, or SSRF into internal services: add [node-and-prototype.md](node-and-prototype.md).127- Smart contract frontends or blockchain-integrated apps: add [web3.md](web3.md).128 129## Common Chain Shapes130 131- Recon -> hidden route -> auth bypass -> internal file read -> token or flag132- XSS or HTML injection -> admin bot -> privileged action -> secret leak133- Traversal or upload -> config/source leak -> secret recovery -> session forgery134- SSRF -> metadata or internal API -> credential leak -> code execution135- SQLi or NoSQL injection -> credential bypass -> second-stage template or upload abuse136 137## Deep-Dive Notes138 139Use [field-notes.md](field-notes.md) once you have confirmed the challenge is truly web-heavy and you need the long exploit catalog.140 141- Recon, SQLi, XSS, traversal, JWT, SSTI, SSRF, XXE, and command injection quick notes142- Deserialization, race conditions, file upload to RCE, and multi-stage chain examples143- Node, OAuth/SAML, CI/CD, Web3, bot abuse, CSP bypasses, and modern browser tricks144- CVE-shaped playbooks and older challenge patterns that still show up in modern CTFs145 146## Common Flag Locations147 148- Files: `/flag.txt`, `/flag`, `/app/flag.txt`, `/home/*/flag*`149- Environment: `/proc/self/environ`, process command line, debug config dumps150- Database: tables named `flag`, `flags`, `secret`, or seeded challenge content151- HTTP: custom headers, archived responses, hidden routes, admin exports152- Browser: hidden DOM nodes, `data-*` attributes, inline state objects, source maps
Related skills
Ctf Ai Ml

Install Ctf Ai Ml skill for Claude Code from ljagiello/ctf-skills.
Ctf Crypto

Install Ctf Crypto skill for Claude Code from ljagiello/ctf-skills.
Ctf Forensics

Install Ctf Forensics skill for Claude Code from ljagiello/ctf-skills.