There is an order to this, and most people get it wrong
Web exploitation is the largest category on picoCTF and the one with the most ways to spin your wheels. People open a challenge, see a login form, and immediately start throwing ' OR 1=1-- at it before they have even read the page source. That is the wrong move at the wrong time. The skill that separates people who solve web challenges from people who stare at them is not knowing more payloads. It is knowing which class of bug they are looking at, and reaching the right technique on the first guess instead of the tenth.
This is a roadmap, not a tutorial. Every link below points to a full technique guide on this site. Read this page to learn the order and the decision rule; follow the links to learn the mechanics. If you are brand new, work the tiers top-to-bottom. If you already know some of this, jump to the tier that matches the bug in front of you.
You do not learn web hacking by collecting payloads. You learn it by learning where untrusted input lands, and what happens to it when it gets there.
The decision rule: classify the bug by where your input lands
Before you pick a technique, answer one question: where does my input go? Almost every web vulnerability is the same root cause (untrusted input crossing into a context that trusts it) and the only thing that changes is the destination. Recon tells you the destination. Once you know it, the technique picks itself.
| Your input lands in... | The bug class | Go to |
|---|---|---|
| The database query | SQL / NoSQL injection | Tier 2 |
| A shell command or a template | Command injection / SSTI | Tier 3 |
| The rendered page or another user's browser | XSS / CSRF | Tier 4 |
| A server-side fetch or a file path | SSRF / LFI / XXE / upload | Tier 5 |
| A cookie, token, or access check | Session / auth bypass / IDOR | Tier 6 |
| A deserializer or an interpreter | Deserialization / sandbox escape | Tier 7 |
| A GraphQL resolver | GraphQL abuse | Tier 8 |
Tier 1: Recon and tooling (do this before anything else)
You cannot classify a bug you have not seen. Recon is not a phase you do once and forget; it is the thing that hands you the destination for the decision rule above. Source comments, hidden endpoints, robots.txt, response headers, and a proxy that lets you replay and tamper requests are how every web solve starts.
- 1.1Web Recon for CTFReading source, headers, robots.txt, and hidden paths to find where input enters.
- 1.2Burp Suite for CTFIntercepting, replaying, and tampering requests so you can test every parameter.
Tier 2: Injection into the database
The most classic web bug and the right place to start once recon is solid. Your input reaches a query, the query trusts it, and you rewrite the query's logic. Learn the relational version first because the mental model (break out of the string context, inject logic, read the response) transfers directly to the document-store version.
- 2.1SQL Injection for CTFBreaking out of a SQL string, UNION-based reads, and blind boolean and time extraction.
- 2.2NoSQL Injection for CTFOperator injection ($ne, $gt, $regex) against MongoDB-style document queries.
Tier 3: Injection into commands and templates
Same root cause, higher stakes. Here your input lands somewhere that runs it as code: a shell that executes it, or a template engine that evaluates it. Both can hand you a direct path from a text box to running commands on the server, so this tier is where web exploitation starts to look like remote code execution.
- 3.1Command Injection for CTFChaining shell metacharacters when input is concatenated into a system command.
- 3.2Server-Side Template InjectionDetecting the engine, then climbing from expression evaluation to RCE through the object model.
Tier 4: Client-side (the bug fires in a browser, not the server)
Until now your input attacked the server. Client-side bugs attack a user: your payload runs in someone else's browser, or rides their authenticated session. In CTF this often means tricking an automated "admin" bot into visiting your payload so it leaks its own cookie or performs an action for you.
- 4.1XSS for CTFReflected, stored, and DOM injection of JavaScript, plus stealing an admin bot's cookie.
- 4.2CSRF for CTFForcing an authenticated victim to submit a state-changing request they never intended.
Tier 5: Server-side request and file bugs
This tier is about making the server reach for something it should not: an internal URL, a file on disk, an XML entity, or an uploaded file it then executes. The payoff is access to resources the network or filesystem was supposed to keep private. These four bugs cluster together because they all abuse the server's trust in a location you control.
- 5.1SSRF for CTFCoercing a server-side fetch toward internal services, metadata endpoints, and localhost.
- 5.2LFI for CTFPath traversal, PHP wrappers, and log poisoning to read or execute local files.
- 5.3XXE for CTFExternal entity injection in XML parsers to read files and pivot to SSRF.
- 5.4File Upload ExploitationBypassing extension, content-type, and magic-byte checks to drop an executable file.
Tier 6: Sessions and access control
Now the target is identity. Instead of injecting into a sink, you forge or tamper with the thing that decides who you are and what you can see. Weak cookies, forgeable tokens, missing authorization checks, and predictable object references all let you become someone you are not, or read records that were never yours.
- 6.1Cookies and JWTs for CTFDecoding and forging session cookies and JWTs, including alg-confusion and weak-secret attacks.
- 6.2Auth Bypass and IDORSkipping login logic and walking sequential or guessable IDs to reach other users' data.
Tier 7: Code execution (the deep end)
The hardest tier, where you turn a foothold into arbitrary code running on the server. Deserialization bugs rebuild attacker-controlled objects into live code paths; sandbox escapes claw out of a deliberately restricted Python interpreter. Both require you to understand the language runtime, not just the web layer, which is why they sit last.
- 7.1Insecure DeserializationGadget chains in pickle, PHP, and Java that execute code when untrusted data is rebuilt.
- 7.2Python Sandbox BypassEscaping restricted eval/exec jails through introspection, dunder traversal, and import tricks.
Tier 8: Modern API surfaces
Newer challenges increasingly ship a GraphQL endpoint instead of a REST form. The bug classes are familiar (injection, broken authorization, information disclosure) but the surface is different: introspection hands you the whole schema, and a single query can batch, nest, and over-fetch in ways a REST endpoint never could.
- 8.1GraphQL ExploitationIntrospection, field suggestion, batching abuse, and authorization gaps in resolvers.
The capstone: real-world bug patterns
Every guide above isolates one technique on a clean target. Real challenges (and real applications) chain them. Recon finds an IDOR that leaks a token, the token unlocks an admin panel, the admin panel has an SSTI, and the SSTI is your shell. The capstone post shows how the tiers compose into the patterns that actually win events.
- 9.1Web Challenges: Real-World Bug PatternsHow recon, injection, access control, and RCE chain together the way real targets break.
The tiers are a vocabulary, not a checklist. Once you can name each bug by where input lands, you stop solving challenges by luck and start solving them by reading.
Where to practice, easy to hard
Reading does not build the instinct; reps do. These picoCTF challenges map onto the roadmap and run easy-to-hard, so you can pair each technique guide with a target the same afternoon you read it.
- picoCTF 2019 Where Are the Robots warms up Tier 1:
robots.txtand hidden paths are the entire challenge. - picoCTF 2022 Inspect HTML is pure recon practice: the flag lives in the page source you were always meant to read.
- picoCTF 2021 Cookies is the gentlest possible Tier 6: decode and tamper a session cookie to escalate.
- picoCTF 2022 Local Authority is a client-side auth-logic bug: the check that decides who you are runs where you can see and edit it.
- picoCTF 2024 No SQL Injection steps up to Tier 2: operator injection against a document store, exactly the NoSQL guide.
Quick reference
The roadmap in one screen
- Recon first. Read source, headers,
robots.txt; proxy everything through Burp. - Ask the decision question: where does my input land?
- Database? SQL, then NoSQL injection.
- Shell or template? Command injection, then SSTI.
- Another user's browser? XSS, then CSRF.
- A server-side fetch or file path? SSRF, LFI, XXE, file upload.
- A cookie or access check? Cookie/JWT forgery, then auth bypass and IDOR.
- A deserializer or interpreter? Insecure deserialization, then sandbox escape.
- A GraphQL endpoint? Introspect, then abuse resolvers and batching.
- Chain them. The capstone shows how real targets compose these into one break.
Web exploitation is not a pile of payloads; it is one question (where does my input land) asked over and over until the answer is a flag.