ctf-web
The ctf-web skill provides a structured guide and playbook for exploiting web-based Capture The Flag (CTF) challenges. It includes workflows for reconnaissance, vulnerability classification, and exploit chaining for common web attack vectors like SQLi, XSS, SSRF, and deserialization.
Is ctf-web safe to install?
Review the source first: our audit of ctf-web's source files found 14 shell commands, 7 external URLs, file reads and writes (high risk). Every command and URL listed appears verbatim in the skill's source. The skill instructs the agent to execute arbitrary shell commands and perform network requests against user-provided targets, which can lead to remote code execution or unauthorized network activity.
How we audit skills: our security review methodology.
Who is this skill for?
CTF participants and security researchers working on web-based challenges.
What can you do with it?
- Mapping web application trust boundaries
- Identifying and exploiting web vulnerabilities like SQLi, SSTI, SSRF, and XXE
- Performing reconnaissance on HTTP applications and APIs
- Executing exploit chains for authentication bypass and remote code execution
How good is this skill?
Quality score: 5/10. The skill provides a comprehensive and well-organized set of playbooks for web exploitation. It clearly defines the scope and provides actionable commands for common scenarios.
What does the skill file contain?
# CTF Web Exploitation Use this skill as a routing and execution guide for web-heavy challenges. Keep the first pass short: map the app, confirm the trust boundary, and only then dive into the detailed technique notes. ## Prerequisites **Python packages (all platforms):** ```bash pip install sqlmap flask-unsign requests ``` **Linux (apt):** ```bash apt install hashcat jq curl ``` **macOS (Homebrew):** ```bash brew install hashcat jq curl ``` **Go tools (all platforms, requires Go):** ```bash go install github.com/ffuf/ffuf/v2@latest ``` **Manual install:** - ysoserial — [GitHub](https:/...
Frequently asked questions
What types of challenges is this skill designed for?
It targets web-heavy challenges involving HTTP applications, APIs, browser clients, template engines, and identity flows.
Does this skill handle binary exploitation?
No. The skill directs users to switch to other skills like /ctf-reverse or /ctf-pwn for native binary memory corruption or reverse engineering.
What tools must be installed to use this skill?
The skill requires sqlmap, flask-unsign, requests, hashcat, jq, curl, and ffuf.