Web Security Basics
5 guided sections and curated resources to get you contest-ready.
Lesson Playbook
5 sectionsHow the Web Works
Before diving into web security, you need to understand how websites actually work. When you type a URL in your browser, here's what happens:
- DNS Resolution: Your browser asks DNS servers to translate the domain name (like google.com) into an IP address
- TCP Connection: A connection is established with the web server using the TCP/IP protocol
- HTTP Request: Your browser sends an HTTP request asking for the webpage
- Server Processing: The server processes your request, possibly querying databases
- HTTP Response: The server sends back HTML, CSS, JavaScript, and other resources
- Rendering: Your browser renders all these resources into the page you see
Understanding this flow is crucial because attackers can target each step of this process.
HTTP Methods and Headers
HTTP requests use different methods to indicate what action you want to perform:
- GET: Retrieve data (loading a page)
- POST: Submit data (login forms, file uploads)
- PUT: Update existing data
- DELETE: Remove data
- OPTIONS: Check what methods are allowed
Headers carry important metadata with each request and response:
GET /api/users HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Cookie: session=abc123
Authorization: Bearer eyJhbG...
HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: session=xyz789; HttpOnly; Secure
X-Frame-Options: DENYPro tip: Use browser Developer Tools (F12) → Network tab to see all HTTP requests your browser makes. This is your most important debugging tool!
Common Web Vulnerabilities Overview
The OWASP Top 10 lists the most critical web security risks. Here are the ones you'll encounter most often in CTFs:
1. Injection - When untrusted data is sent to an interpreter (SQL, command, etc.) 2. Broken Authentication - Weak session management, credential stuffing 3. Sensitive Data Exposure - Unencrypted data, information disclosure 4. XML External Entities (XXE) - Exploiting XML parsers 5. Broken Access Control - Accessing resources you shouldn't 6. Security Misconfiguration - Default credentials, verbose errors 7. Cross-Site Scripting (XSS) - Injecting malicious scripts 8. Insecure Deserialization - Manipulating serialized objects 9. Using Components with Known Vulnerabilities - Outdated libraries 10. Insufficient Logging - Not detecting attacks
In beginner CTFs, you'll mostly see injection, XSS, and broken access control.
Your Security Testing Toolkit
Every web security researcher needs these tools:
Browser Developer Tools (Built-in, Free)
- Network tab for HTTP traffic
- Console for JavaScript debugging
- Elements for DOM inspection
- Application tab for cookies and storage
Burp Suite Community Edition (Free)
- Intercept and modify HTTP requests
- Spider websites automatically
- Scan for common vulnerabilities
cURL (Command line, Free)
- Make HTTP requests from terminal
- Great for scripting and automation
# Basic GET request
curl https://example.com/api/users
# POST request with data
curl -X POST https://example.com/login \
-d "username=admin&password=test"
# Include custom headers
curl -H "Cookie: session=abc123" \
https://example.com/dashboard
# Follow redirects and show headers
curl -L -i https://example.comRobots.txt and Information Disclosure
One of the first things to check on any website is robots.txt - a file that tells search engines which pages not to index. Ironically, this often reveals sensitive paths!
# Check robots.txt
curl https://target.com/robots.txt
# Common findings:
User-agent: *
Disallow: /admin/
Disallow: /backup/
Disallow: /config/
Disallow: /api/internal/Pro tip: Also check: /sitemap.xml, /.git/, /backup/, /admin/, /.env, and common file extensions like .bak, .old, .swp