CTF field notes: the web category
A running log of web challenges: patterns that repeat, traps I fell into, and the meta-skill CTFs are secretly teaching.
Actively tended. Revisited often, links forming to other notes.
A perpetual note. Newest season at the top; lessons distilled as they stabilize.
Patterns that keep paying rent
- Read the source like an attacker, not a reviewer. Reviewers ask “is this correct?” Attackers ask “what does this assume?” The gap between those questions is most flags, and it’s the whole thesis of the-attackers-mindset-is-systems-thinking.
- The challenge title is a hint, every time. Puzzle authors can’t resist.
- When stuck, enumerate trust boundaries. Client→server, server→database, service→service. The flag lives at the boundary the author hopes you’ll skim.
Traps I personally keep falling into
- Going deep on the first idea instead of wide on five ideas. Thirty minutes per hypothesis, then rotate.
- Forgetting that time is the score. There’s a bankroll-management flavor to this: allocating attention across challenges is a betting problem, which is what sent me down the kelly-criterion-for-bug-hunting rabbit hole.
Why bother with CTFs at all
They compress the feedback loop. Real-world offensive work pays out insight on a timescale of weeks; a CTF pays out in hours. Same muscle, faster reps, zero collateral. It’s the gym, not the sport.
Paths that lead here
- The ADHD-HTB playbook: hacking the brain that hacks the box · Ten friction-bypassing study methods for grinding HackTheBox with an ADHD brain, plus the two of them I turned into real tools: a Swipe-to-Pwn Anki deck and an htb-operator shell.
- Kelly criterion for bug hunting? · A half-formed hunch: allocating research time across targets is a bankroll problem, and Kelly might be the right lens.
- The attacker's mindset is systems thinking · Attackers don't break rules; they discover that the rules compose differently than the designers believed.
- You will never know enough, and that's the job · Imposter syndrome in security isn't a character flaw; it's an accurate readout of an unbounded field, misfiled as a personal deficiency. The fix is a traversal strategy, not more knowledge.
Where this note points
- The attacker's mindset is systems thinking · Attackers don't break rules; they discover that the rules compose differently than the designers believed.
- Kelly criterion for bug hunting? · A half-formed hunch: allocating research time across targets is a bankroll problem, and Kelly might be the right lens.
More from these beds
- The Diamond Lock: Writing Notes a Future Robot Can't Read · Quantum computers will slice through today's internet locks like a laser through glass. Inside the race to build math even a future super-machine can't crack: public-key crypto, Shor's algorithm, and the diamond lock.
- Fuzzing is evolution with a weird fitness function · Bridging theoretical biology and systems security in a way that isn't just a superficial metaphor