CTF Literature

Collection of free books, papers and articles related to CTF challenges.

How To Get Started In CTF
CTFtime
Hack.lu (2014) Writeups

Web

Cross-site scripting (XSS)

• OWASP - XSS
• OWASP - XSS Filter Evasion Cheat Sheet
• DOM Clobbering
• HTML Markup Injection
• Testing For Reflected XSS
• Testing For Stored XSS
• Testing For DOM-based XSS

Cross-Site Request Forgery (CSRF)

• OWASP - CSRF
• Testing For CSRF

Local File Inclusion (LFI)

• Testing For LFI

Remote File Inclusion (RFI)

• Testing for RFI
• CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program

SQL-Injection (SQLi)

• OWASP - SQLi
• Testing For SQL Injections
• SQL Backdoors
• Bypassing Modern SQL Injection Security Measures
• 9.6 Comment Syntax
• Cheat Sheets
• [video] Advanced SQL Injection
• [video] Defcon 18 - You Spent All That Money And You Still Got Owned

LDAP Injection

• OWASP - LDAP Injection
• Testing For LDAP Injection
• LDAP Injection & Blind LDAP Injection

Path Traversal

• OWASP - Path Traversal
• Testing For Path Traversal

Cookies

• OWASP - Session Hijacking
• Cookies

Command Injection

• The Unexpected Dangers Of preg_replace()
• Exploiting PHP PCRE Functions

Languages / Databases

• PHP
• ASP.NET
• Node.js
• jQuery
• Javascript
• Ruby

• MySQL
• MSSQL
• PostgreSQL
• SQLite
• Berkeley DB

Tools

• w3af - Web Application Attack and Audit Framework (Windows/Linux)
• Firefox - Addon Pack (Web Pen Testing)

Practice

• HackMe
• Damn Vulnerable Web Application (DVWA)
• Mutillidae
• OWASP Broken Web Applications Project

Reverse Engineering

Introduction To Reverse Engineering

• Reverse Engineering for Beginners
• Debugging With EDB

Obfuscation

• ELF Obfuscation: Let Analysis Tools Show Wrong External Symbol Calls

Tools

• OllyDBG (x86 Debugger)
• IDA Pro (Interactive Disassembler)
• strace (Linux)

Practice

• Crackmes.de

Crypto

Introduction To Crypto

• Learn Cryptography
• Cryptography World

Tools

• HashID (Identify Hashes)

Exploitation

Introduction To Exploitation

• The Linux man-pages Project
• Special File Permissions (setuid, setgid and Sticky Bit)
• Linux Users and Groups

Format String Attakcs

• Exploiting Format String Vulnerabilities

Off-By-One Attacks

• Off-by-One Exploitation Tutorial

Tools

• Metasploit

Practice

• Exploit Exercises

Forensics

Introduction To Forensics

• List Of File Signatures (Magic Numbers)

Tools

• Top 20 Free Forensics Tools