July 13, 2026

The picoCTF Web Exploitation Roadmap: Recon to RCE

Web exploitation roadmap: how to learn web hacking in order, a difficulty-tiered path classifying every bug by where your input lands, with technique guides.

There is an order to this, and most people get it wrong

Web exploitation is the largest category on picoCTF and the one with the most ways to spin your wheels. People open a challenge, see a login form, and immediately start throwing ' OR 1=1-- at it before they have even read the page source. That is the wrong move at the wrong time. The skill that separates people who solve web challenges from people who stare at them is not knowing more payloads. It is knowing which class of bug they are looking at, and reaching the right technique on the first guess instead of the tenth.

This is a roadmap, not a tutorial. Every link below points to a full technique guide on this site. Read this page to learn the order and the decision rule; follow the links to learn the mechanics. If you are brand new, work the tiers top-to-bottom. If you already know some of this, jump to the tier that matches the bug in front of you.

You do not learn web hacking by collecting payloads. You learn it by learning where untrusted input lands, and what happens to it when it gets there.
Note: The learning order, above the fold: recon first, then database injection, then command and template injection, then client-side, then server-side request and file bugs, then sessions and access control, then full code execution, then modern API surfaces, then the capstone that ties them together. Each tier is harder than the last and assumes the one before.

The decision rule: classify the bug by where your input lands

Before you pick a technique, answer one question: where does my input go? Almost every web vulnerability is the same root cause (untrusted input crossing into a context that trusts it) and the only thing that changes is the destination. Recon tells you the destination. Once you know it, the technique picks itself.

Your input lands in...The bug classGo to
The database querySQL / NoSQL injectionTier 2
A shell command or a templateCommand injection / SSTITier 3
The rendered page or another user's browserXSS / CSRFTier 4
A server-side fetch or a file pathSSRF / LFI / XXE / uploadTier 5
A cookie, token, or access checkSession / auth bypass / IDORTier 6
A deserializer or an interpreterDeserialization / sandbox escapeTier 7
A GraphQL resolverGraphQL abuseTier 8
Key insight: The whole roadmap collapses into four destinations: the database, the page, the server, and the session. Recon tells you which one. If you can name the destination, you have already narrowed eight categories down to one.

Tier 1: Recon and tooling (do this before anything else)

You cannot classify a bug you have not seen. Recon is not a phase you do once and forget; it is the thing that hands you the destination for the decision rule above. Source comments, hidden endpoints, robots.txt, response headers, and a proxy that lets you replay and tamper requests are how every web solve starts.

  1. 1.1Web Recon for CTFReading source, headers, robots.txt, and hidden paths to find where input enters.
  2. 1.2Burp Suite for CTFIntercepting, replaying, and tampering requests so you can test every parameter.
Tip: Spend real time here even when it feels slow. The difference between a five-minute solve and a five-hour one is almost always whether you found the right parameter during recon or stumbled onto it by accident later.

Tier 2: Injection into the database

The most classic web bug and the right place to start once recon is solid. Your input reaches a query, the query trusts it, and you rewrite the query's logic. Learn the relational version first because the mental model (break out of the string context, inject logic, read the response) transfers directly to the document-store version.

  1. 2.1SQL Injection for CTFBreaking out of a SQL string, UNION-based reads, and blind boolean and time extraction.
  2. 2.2NoSQL Injection for CTFOperator injection ($ne, $gt, $regex) against MongoDB-style document queries.

Tier 3: Injection into commands and templates

Same root cause, higher stakes. Here your input lands somewhere that runs it as code: a shell that executes it, or a template engine that evaluates it. Both can hand you a direct path from a text box to running commands on the server, so this tier is where web exploitation starts to look like remote code execution.

  1. 3.1Command Injection for CTFChaining shell metacharacters when input is concatenated into a system command.
  2. 3.2Server-Side Template InjectionDetecting the engine, then climbing from expression evaluation to RCE through the object model.
Warning: The line between command injection and SSTI is which interpreter your input hits. Always confirm with a harmless probe (an arithmetic expression for SSTI, a benign separator for command injection) before you reach for a full payload. Guessing the wrong interpreter wastes the most time in this tier.

Tier 4: Client-side (the bug fires in a browser, not the server)

Until now your input attacked the server. Client-side bugs attack a user: your payload runs in someone else's browser, or rides their authenticated session. In CTF this often means tricking an automated "admin" bot into visiting your payload so it leaks its own cookie or performs an action for you.

  1. 4.1XSS for CTFReflected, stored, and DOM injection of JavaScript, plus stealing an admin bot's cookie.
  2. 4.2CSRF for CTFForcing an authenticated victim to submit a state-changing request they never intended.

Tier 5: Server-side request and file bugs

This tier is about making the server reach for something it should not: an internal URL, a file on disk, an XML entity, or an uploaded file it then executes. The payoff is access to resources the network or filesystem was supposed to keep private. These four bugs cluster together because they all abuse the server's trust in a location you control.

  1. 5.1SSRF for CTFCoercing a server-side fetch toward internal services, metadata endpoints, and localhost.
  2. 5.2LFI for CTFPath traversal, PHP wrappers, and log poisoning to read or execute local files.
  3. 5.3XXE for CTFExternal entity injection in XML parsers to read files and pivot to SSRF.
  4. 5.4File Upload ExploitationBypassing extension, content-type, and magic-byte checks to drop an executable file.

Tier 6: Sessions and access control

Now the target is identity. Instead of injecting into a sink, you forge or tamper with the thing that decides who you are and what you can see. Weak cookies, forgeable tokens, missing authorization checks, and predictable object references all let you become someone you are not, or read records that were never yours.

  1. 6.1Cookies and JWTs for CTFDecoding and forging session cookies and JWTs, including alg-confusion and weak-secret attacks.
  2. 6.2Auth Bypass and IDORSkipping login logic and walking sequential or guessable IDs to reach other users' data.
Tip: Cookie tampering is one of the gentlest on-ramps in all of web exploitation, which is exactly why picoCTF uses it so often. If you are stuck on a login challenge, decode the cookie before you touch the form.

Tier 7: Code execution (the deep end)

The hardest tier, where you turn a foothold into arbitrary code running on the server. Deserialization bugs rebuild attacker-controlled objects into live code paths; sandbox escapes claw out of a deliberately restricted Python interpreter. Both require you to understand the language runtime, not just the web layer, which is why they sit last.

  1. 7.1Insecure DeserializationGadget chains in pickle, PHP, and Java that execute code when untrusted data is rebuilt.
  2. 7.2Python Sandbox BypassEscaping restricted eval/exec jails through introspection, dunder traversal, and import tricks.

Tier 8: Modern API surfaces

Newer challenges increasingly ship a GraphQL endpoint instead of a REST form. The bug classes are familiar (injection, broken authorization, information disclosure) but the surface is different: introspection hands you the whole schema, and a single query can batch, nest, and over-fetch in ways a REST endpoint never could.

  1. 8.1GraphQL ExploitationIntrospection, field suggestion, batching abuse, and authorization gaps in resolvers.

The capstone: real-world bug patterns

Every guide above isolates one technique on a clean target. Real challenges (and real applications) chain them. Recon finds an IDOR that leaks a token, the token unlocks an admin panel, the admin panel has an SSTI, and the SSTI is your shell. The capstone post shows how the tiers compose into the patterns that actually win events.

  1. 9.1Web Challenges: Real-World Bug PatternsHow recon, injection, access control, and RCE chain together the way real targets break.
The tiers are a vocabulary, not a checklist. Once you can name each bug by where input lands, you stop solving challenges by luck and start solving them by reading.

Where to practice, easy to hard

Reading does not build the instinct; reps do. These picoCTF challenges map onto the roadmap and run easy-to-hard, so you can pair each technique guide with a target the same afternoon you read it.

Note: Do not save practice for after you have read everything. Read one tier, solve one matching challenge, then move on. The instinct for "where does my input land" only sets in when you have felt it land.

Quick reference

The roadmap in one screen

  1. Recon first. Read source, headers, robots.txt; proxy everything through Burp.
  2. Ask the decision question: where does my input land?
  3. Database? SQL, then NoSQL injection.
  4. Shell or template? Command injection, then SSTI.
  5. Another user's browser? XSS, then CSRF.
  6. A server-side fetch or file path? SSRF, LFI, XXE, file upload.
  7. A cookie or access check? Cookie/JWT forgery, then auth bypass and IDOR.
  8. A deserializer or interpreter? Insecure deserialization, then sandbox escape.
  9. A GraphQL endpoint? Introspect, then abuse resolvers and batching.
  10. Chain them. The capstone shows how real targets compose these into one break.

Web exploitation is not a pile of payloads; it is one question (where does my input land) asked over and over until the answer is a flag.

Keep reading

Guides that build on the same ideas, plus the roadmap this topic sits under.