extended web section

vinamrabhatia · May 29, 2014 · 53330a9 · 53330a9
1 parent 9d9ce56
commit 53330a9
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 19 deletions.
diff --git a/topics/web/README.md b/topics/web/README.md
@@ -2,26 +2,13 @@
 
 ##Quick Start
 
-1. Login field/text input a central part of website? Likely a [SQL injection](./sql-injections/)
+1. Login field/text input a central part of website? Two major possible options:
 
-##About
-
-Web challenges in CTF competitions usually involve the use of HTTP (or similar protocols) and technologies involved in information transfer and display over the internet like PHP, CMS's (e.g. Django), SQL, Javascript, and more. There are many tools used to access and interact with the web tasks, and choosing the right one is a major facet of the challenges. Although web browsers are the most common and well known way of interacting with the internet, tools like `curl` and `nc` allow for extra options and parameters to be passed and utilized.
-
-##Getting Started
-
-###Command Line and the Web
+ * If a databse is involved, likely a [SQL injection](./sql-injections/)
 
-If you are running linux and want extended functionality (like passing custom headers) in web challenges, bash (terminal) commands are your best bet. `cURL` is a simple but extensible [command-line tool for transferring data using various protocols](https://en.wikipedia.org/wiki/CURL), and allows users to use HTTP to interact with servers, including [POST and GET methods](https://en.wikipedia.org/wiki/HTTP#Request_methods). Additionally, some challenges will be accessed through interactive processes, which can be connected to with programs like [netcat](https://en.wikipedia.org/wiki/Netcat) or [telnet](https://en.wikipedia.org/wiki/Telnet).
+ * If the input is used in the website, possible [XSS vulnerability](./xss/)
 
-####Example
 
-To see `curl` at work, you can simply run `curl 8.8.8.8` (Google), and the html of Google's home page should appear.
-
-There are many other options and flags that can be passed to `curl`, making it an extremely useful tool in CTFs
-
-##Sources/See More
-
-[HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol)
+##About
 
-[cURL](https://en.wikipedia.org/wiki/CURL)
+Web challenges in CTF competitions usually involve the use of HTTP (or similar protocols) and technologies involved in information transfer and display over the internet like PHP, CMS's (e.g. Django), SQL, Javascript, and more. There are many tools used to access and interact with the web tasks, and choosing the right one is a major facet of the challenges. Although web browsers are the most common and well known way of interacting with the internet, tools like `curl` and `nc` allow for extra options and parameters to be passed and utilized.
diff --git a/topics/web/sql-injections/README.md b/topics/web/sql-injections/README.md
@@ -1 +1,11 @@
-#SQL Injections
+#SQL Injections
+
+##Use
+
+* Learn:
+
+ * Good [introduction and database](https://www.owasp.org/index.php/SQL_injection) of SQL injections
+
+##More
+
+[SQL Injection](https://en.wikipedia.org/wiki/SQL_injection)
diff --git a/topics/web/xss/README.md b/topics/web/xss/README.md
@@ -0,0 +1,15 @@
+# Cross-site Scripting
+
+Cross-site scripting (XSS) is a typical web vulnerability which allows attackers to inject their own client-side code into the website.
+
+## Use
+
+* Learn:
+
+ * Introduction by [Google](https://www.google.com/about/appsecurity/learning/xss/index.html) to the topic
+
+ * Game by [Google](https://xss-game.appspot.com/) for fun and practice
+
+## More
+
+[Cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting)