picoCTF Solutions
Web ExploitationAdvanced

Advanced Web Exploitation

Foundational web challenges hide flags in cookies and single injections. Advanced ones make you chain bugs: stored XSS that steals an admin bot's session, SSRF that pivots to an internal service, XXE that reads server files, and WebAssembly you have to decompile. This path assumes you are fluent with dev tools, cookies, and basic SQL and SSTI injection.

New to this category? Start withWeb Exploitationfirst.
5 steps·13 challenges
  1. Step 01

    Advanced Injection and Filter Bypass

    Real injection rarely works on the first payload because input is filtered. ORDER ORDER hides the flag behind a UNION SELECT that only fires when a report is generated, and msfroggenerator2 wraps a server-side injection in stricter sanitization you have to bypass before you can execute commands.

    ORDER ORDER

    picoCTF 2026

    Hard

    msfroggenerator2

    picoCTF 2023

    Hard
  2. Step 02

    Exploiting Admin Bots

    Many web challenges run a headless browser that visits a page as an authenticated admin. Your job is to plant a payload the bot will execute: stored XSS that exfiltrates its session cookie, or a CSRF or race condition that makes it render something it should not. This is how cookie theft works in the real world.

    noted

    picoCTF 2022

    Hard

    Live Art

    picoCTF 2022

    Hard
  3. Step 03

    SSRF and Internal Pivoting

    Server-Side Request Forgery turns the vulnerable server into your proxy into the internal network. The hardest web challenges chain SSRF with a second bug, like template injection, to reach a service that is not exposed to the internet and exfiltrate a flag from behind it.

    elements

    picoCTF 2024

    Hard

    cancri-sp

    picoCTF 2023

    Hard

    secure-email-service

    picoCTF 2025

    Hard
  4. Step 04

    XML, XPath, and Path Traversal

    Structured input formats open their own attack class. X marks the spot exploits an XXE or XPath injection to read server-side files, and notepad abuses backslash path traversal to write a Jinja2 template that becomes SSTI when you trigger it. Understanding how parsers resolve paths and entities is the key.

    X marks the spot

    picoCTF 2021

    Hard

    notepad

    picoMini by redpwn

    Hard
  5. Step 05

    Client-Side and WebAssembly Reversing

    Not all web logic runs on the server. The Java Script Kiddie challenges make you reverse an obfuscated JS image decoder and brute-force its keys, while the Some Assembly Required series hands you WebAssembly modules with layered XOR and encryption you must decompile and peel apart.

    Java Script Kiddie

    picoCTF 2019

    Hard

    Java Script Kiddie 2

    picoCTF 2019

    Hard

    Some Assembly Required 3

    picoCTF 2021

    Hard

    Some Assembly Required 4

    picoCTF 2021

    Hard
All guided paths