Micah Silverman

Capture the Flag 101

It starts with a simple `curl` command and ends with a critical Prototype Pollution vulnerability. Learn to think like an attacker in this Capture the Flag introduction.

Capture the Flag 101
#1about 4 minutes

Introduction to developer-first security and CTFs

The concept of 'hack yourself' is introduced as a powerful way for developers to learn security principles by actively participating in challenges.

#2about 3 minutes

Understanding the purpose and benefits of CTF events

Capture the Flag events are cross-functional, team-based challenges designed to help developers learn about security vulnerabilities in a hands-on way.

#3about 2 minutes

Following the rules of engagement for a CTF

Effective participation in a CTF requires communication and collaboration, while avoiding spoilers or attacking the backend infrastructure.

#4about 2 minutes

Beginning the 'Invisible Ink' CTF challenge

The walkthrough begins by examining the challenge description, the target web application, and the provided source code files for initial clues.

#5about 6 minutes

Using curl for initial web application reconnaissance

The `curl` command is used to send GET and POST requests to the target URL, revealing how to correctly format requests with the proper content type.

#6about 1 minute

Scanning dependencies for vulnerabilities with the Snyk CLI

The Snyk CLI tool is used to scan the project's `package.json` file, which quickly identifies a known prototype pollution vulnerability in a dependency.

#7about 4 minutes

Explaining the prototype pollution vulnerability in JavaScript

Prototype pollution is a JavaScript-specific vulnerability that allows an attacker to modify an object's base prototype, injecting properties into every object in the application.

#8about 5 minutes

Analyzing source code to find the exploit vector

By examining the application's `index.js` file, the vulnerable `lodash.merge` function is identified as the entry point for the prototype pollution attack.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Articles

View all articles

From learning to earning

Jobs that call for the skills explored in this talk.