Capture the Flag 101

It starts with a simple `curl` command and ends with a critical Prototype Pollution vulnerability. Learn to think like an attacker in this Capture the Flag introduction.

#1about 4 minutes

Introduction to developer-first security and CTFs

The concept of 'hack yourself' is introduced as a powerful way for developers to learn security principles by actively participating in challenges.

#2about 3 minutes

Understanding the purpose and benefits of CTF events

Capture the Flag events are cross-functional, team-based challenges designed to help developers learn about security vulnerabilities in a hands-on way.

#3about 2 minutes

Following the rules of engagement for a CTF

Effective participation in a CTF requires communication and collaboration, while avoiding spoilers or attacking the backend infrastructure.

#4about 2 minutes

Beginning the 'Invisible Ink' CTF challenge

The walkthrough begins by examining the challenge description, the target web application, and the provided source code files for initial clues.

#5about 6 minutes

Using curl for initial web application reconnaissance

The `curl` command is used to send GET and POST requests to the target URL, revealing how to correctly format requests with the proper content type.

#6about 1 minute

Scanning dependencies for vulnerabilities with the Snyk CLI

The Snyk CLI tool is used to scan the project's `package.json` file, which quickly identifies a known prototype pollution vulnerability in a dependency.

#7about 4 minutes

Explaining the prototype pollution vulnerability in JavaScript

Prototype pollution is a JavaScript-specific vulnerability that allows an attacker to modify an object's base prototype, injecting properties into every object in the application.

#8about 5 minutes

Analyzing source code to find the exploit vector

By examining the application's `index.js` file, the vulnerable `lodash.merge` function is identified as the entry point for the prototype pollution attack.