idea

injection

Use un-sanitized input. Some validation is:

SELECT user FROM users WHERE username='USERNAME' AND password = 'PASSWORD'

So you inject in password:

SELECT user FROM users WHERE username='USERNAME' AND password = 'sssss' OR 'aaa'= 'aaa'

strcmp

In PHP, strcmp can be tricked when used for password validation. In particular:

• Passing an array always returns false. So passing an array to a parameter where a password is expected will return 0, and potentially divert protections^[1].

md5 rainbow tables

Knowing an MD5 hash, rainbow tables allow to find an input that computes to the same hash. (e.g. https://md5hashing.net/hash/md5/)

magic hashes

Php converts strings of format "0e1231231" to numbers, especially: 0. When the md5 result of a string is under that format, the md5sum function returns 0. So when passwords are checked using md5 and not salt, anything where md5 starts with 0e followed by numbers will match. Using a rainbow table can help^[3]

extract variable overwrite

The extract keyword extracts an associative array into variables. This can lead to overwriting variables (eg expectedPassword) and bypass authentication

password complexity

According to NIST-800-63B, passwords (Memorized Secrets) should have at least eight characters to prevent 'online attacks'. Furthermore, NIST-800-63B requires that passwords don't appear in common dictionaries. If you want to have more fun with secrets, check out OWASP Wrong Secrets at https://wrongsecrets.fly.dev/, specially challenge 16 and 23.

default endpoints

• Prometheus: /metrics or :9090/metrics

links

references

Juice shop - a CTF - notes: 2026-04-11--juice-shop

https://cheatsheet.haax.fr/

https://github.com/HightechSec/web-ctf-container

docker run --name web-ctf -d -it -p 80:80 hightechsec/web-ctf-container

[1]:

[2]: https://github.com/spaze/hashes/blob/master/md5.md