- Web & Web security introduction [slide]
- Access control & Bussiness logic
- Recon & Information leak [slide]
- Insecure Upload / Path traversal / LFI [slide]
- Basic injection [slide]
- Code injection
- Command injection
- SQL injection: Basic
- SQL injection: Advanced
- Union-based
- Boolean-based
- Other
- Server-side request forgery (SSRF)
- Insecure deserialization
- Intro
- Pickle
- Insecure deserialization [slide]
- PHP
- POP Chain
- Misc (Java, .NET etc.)
- Frontend security: Basic [slide]
- Same-origin policy
- CSRF
- XSS
- Frontend security: Content Security Policy (CSP) [slide]
- Frontend security: Advanced
- Advanced injection
- NoSQL injection
- Server-side template injection (SSTI)
- Misc
- JavaScript prototype pollution [slide]
- XXE
題目之後的
數字代表的是 docker 對外通訊埠編號
- Basic
- Cat Shop
8100
- Cat Shop
- SQL injection
- Login me: Login bypass
8200 - Login me again: UNION-based SQL injection
8201
- Login me: Login bypass
- Command injection
- DNS tool
8300 - DNS tool: WAF edition
8301
- DNS tool
- LFI
- Meow site: Basic LFI
8400 - HakkaMD: LFI to RCE
8401
- Meow site: Basic LFI
- SSRF
- Web Preview Service: Use
gopher://to forge a request8500 - SSRFrog: Bypass blacklist
8501
- Web Preview Service: Use
- Deserialization
- Pickle
8600 - Cat: Basic PHP unserialize
8601 - Magic cat: POP chain
8602
- Pickle
- SSTI
- Jinja2 SSTI
8700
- Jinja2 SSTI
- Frontend
- XSS
8800
- XSS
- Imgura: Information Leak / Upload / LFI
- DVD Screensaver: Path traversal / SQL injection / Signed Cookie
- Profile Card: XSS / CSRF / CSP Bypass
- Double SSTI: SSTI
- Log me in: FINAL: SQL injection / Information Leak