---
layout: ctf
title: some notes on web security
---

# web security

## practice

- [picoctf.org](https://picoctf.org)
- [websec.fr](https://websec.fr)
- https://portswigger.net/web-security/all-materials

## tooling

- curl
- devtools
- burp suite
- mitmproxy
- [webhook.site](https://webhook.site/)
- [dnslog.cn](http://www.dnslog.cn/)

## common attacks

### sqli: sql injection

### xss: cross-site scripting

### xxe: external entity injection

### csrf: cross-site request forgery

### ssrf: server-side request forgery

### request smuggling

### prototype pollution

## common failures

### trusting headers