picoCTF writeup: Introductory web application injections

picoCTF (n.d.) recently finished their 2023 capture the flag. Like their previous capture the flags, they came with a number of web exploitation tasks for their contestants to solve. In this article, I will discuss my experience working out a flag for two of them: the first is SOAP which discusses XXE injection and the second is More SQLi, which, like its title implies, is a more commonly known class of vulnerabilities: SQL injection.

Some image components from Junior (2022).

Contents at a glance

1. Procedure
2. End matter
3. References

Procedure

Before proceeding, I must define the objectives for these picoCTF challenges. For both SOAP (Njogu 2023) and More SQLi (Mikail 2023), the ultimate goal is to work out the “flag,” which is a string that is to be obtained through hacking techniques. The methods need not be the ones prescribed by the room, but it is recommended that they are used.

Note that in order to access these challenges, the reader may need to have a picoCTF account and sign in to the picoCTF website with it.