Ctf Web

Name: Ctf Web
Author: ljagiello

ljagiello/ctf-skills

Install when you are solving or authoring CTF web challenges and need agent recall of auth bypass, collision, and injection patterns from real 2018-era writeups.

Overview

CTF Web is an agent skill for the Ship phase that teaches named web authentication and access-control attack patterns from CTF writeups for authorized lab and challenge work.

Install

npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-web

What is this skill?

Documents four 2018 CTF auth/access attack families with named sources
Covers std::unordered_set bucket-collision hash auth bypass (Hackover 2018)
Covers Unicode homograph username collision and SRP A=0 / A=N bypass patterns
Covers ArangoDB AQL MERGE injection for privilege escalation
Cross-links foundational auth, JWT, and auth-infra companion docs in the repo
Four documented 2018-era auth and access-control attack patterns in the Part 2 TOC
Companion auth docs: auth-and-access, auth-jwt, and auth-infra cross-linked

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 4.8k installs on skills.sh; 2.3k GitHub stars; 0/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are stuck on a web CTF auth challenge or designing access control and lack a concise catalog of real bypass patterns your agent can apply step by step.

Who is it for?

Builders doing authorized CTF practice, security homework, or threat modeling who want agent-ready exploit pattern sheets for web auth.

Skip if: Production deployment runbooks, compliance audits, or attacking live systems without explicit permission.

When should I use this skill?

When solving or explaining CTF web challenges involving authentication, username collisions, SRP, or database merge injection.

What do I get? / Deliverables

Your agent can walk through documented bypass shapes—collisions, homographs, SRP flaws, and AQL merge abuse—so you can capture flags or stress-test your own auth design.

Step-oriented exploit pattern notes aligned to named CTF sources
Pointers to related JWT and auth-infrastructure attack modules in the repo

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Offensive web auth patterns belong on the security shelf during ship and hardening, where you validate access control assumptions—not in casual idea research. Security subphase is the canonical home for exploit-pattern playbooks tied to authentication and authorization failures on web stacks.

Also useful

BuildBackend, data & payments

How it compares

Use as a CTF pattern reference skill, not a replacement for OWASP ASVS-style secure design checklists for shipping customer data.

Common Questions / FAQ

Who is ctf-web for?

Developers and security hobbyists solving web CTFs or studying auth failures who want an agent skill that encodes specific bypass techniques from public challenges.

When should I use ctf-web?

Use it in Ship security work when modeling threats for your API, when practicing challenge auth modules, or when your agent needs the Hackover bucket-collision or ArangoDB MERGE escalation narratives.

Is ctf-web safe to install?

The content describes offensive techniques for learning; review the Security Audits panel on this page and only aim the agent at systems you are authorized to test.

SKILL.md

READMESKILL.md - Ctf Web

# CTF Web - Auth & Access Control Attacks (Part 2)

2018-era additions: bucket-collision hash auth bypass, Unicode username homograph collision, SRP A=0/A=N bypass, ArangoDB AQL MERGE privilege escalation. For foundational auth/access techniques see [auth-and-access.md](auth-and-access.md). For JWT attacks see [auth-jwt.md](auth-jwt.md). For OAuth/OIDC/SAML/CI-CD, see [auth-infra.md](auth-infra.md).

## Table of Contents
- [std::unordered_set Bucket Collision Auth Bypass (Hackover 2018)](#stdunordered_set-bucket-collision-auth-bypass-hackover-2018)
- [nodeprep.prepare Homograph Username Collision (HCTF 2018)](#nodeprepprepare-homograph-username-collision-hctf-2018)
- [SRP A=0, A=N Auth Bypass (OTW Advent 2018)](#srp-a0-an-auth-bypass-otw-advent-2018)
- [ArangoDB AQL MERGE Injection for Privilege Escalation (P.W.N. CTF 2018)](#arangodb-aql-merge-injection-for-privilege-escalation-pwn-ctf-2018)

---

## std::unordered_set Bucket Collision Auth Bypass (Hackover 2018)

**Pattern:** A C++ backend stores credential hashes in `std::unordered_set<std::string>`. The set's bucket index is derived from only the first bytes of a SHA-512 digest (truncated `size_t` hash). The lookup loop aborts early after a bounded number of bucket probes (`MAX_LOOKUPS = 1000`). Flood the set with 1000+ entries that all collide in the same bucket as the `root` account — the compare for the correct entry never executes and the call returns "found" on an attacker-chosen password.

```cpp
// Vulnerable shape
std::unordered_set<std::string> users;
auto it = users.find(login_key);           // probes at most MAX_LOOKUPS
if (it != users.end()) { /* accepted */ }
```

```python
# Flood registration: every entry collides in root's bucket
import requests
for i in range(1100):
    requests.post("http://target/register",
                  data={"name": f"ro{i:04d}", "password": "ot1"})
# Log in as root with an arbitrary password — loop gives up before compare
requests.post("http://target/login", data={"name": "root", "password": "anything"})
```

**Key insight:** Hash-table implementations that truncate digests into bucket indices expose a second-preimage surface: the attacker only has to match the bucket, not the full hash. When the data structure also has a bounded probe count (DoS guard), flooding the bucket turns an authentication check into an unconditional accept. Any `unordered_map`/`unordered_set` keyed on low-entropy derivations of user input is suspect — watch for `std::hash<std::string>` implementations that reduce to `size_t` via XOR-folding.

**References:** Hackover CTF 2018 — secure-hash, writeup 11502

---

## nodeprep.prepare Homograph Username Collision (HCTF 2018)

**Pattern:** Registration calls Node's `node-xmpp-server` `nodeprep.prepare(username)` which runs RFC-3491/Stringprep normalization. Unicode characters like `ᴬ` (U+1D2C Modifier Letter Capital A) normalize to ASCII `A`, then the existing user lookup finds the already-registered `admin`. Register `ᴬdmin` with any password, and the lookup returns the real admin row — set a new password via a password-reset flow.

```text
username: \u1D2Cdmin   # ᴬdmin
nodeprep.prepare("ᴬdmin") == "admin"
```

**Key insight:** Any pipeline that (1) normalizes usernames before lookup but (2) stores the pre-normalized form separately is vulnerable. Normalize once at write-time and never accept users whose pre-normalized form collides with an existing row. Libraries to audit: `nodeprep`, `icu.normalize`, `unicodedata.normalize`, `golang.org/x/text/secure/precis`.

**References:** HCTF 2018 — admin, writeup 12132

---

## SRP A=0, A=N Auth Bypass (OTW Advent 2018)

**Pattern:** SRP (Secure Remote Password) implementations that do not validate `A % N != 0` allow the client to send `A = 0` (or `A = k*N`). The server computes `S = (A * v^u)^b mod N = 0`, so the session key is `H(0)` — known to the attacker. Bypass login without knowing the password.

```text
Client: sends A = 0
Server: computes S = 0
Session key:

What is this skill?

Documents four 2018 CTF auth/access attack families with named sources

Covers std::unordered_set bucket-collision hash auth bypass (Hackover 2018)

Covers Unicode homograph username collision and SRP A=0 / A=N bypass patterns

Covers ArangoDB AQL MERGE injection for privilege escalation

Cross-links foundational auth, JWT, and auth-infra companion docs in the repo

Four documented 2018-era auth and access-control attack patterns in the Part 2 TOC

Companion auth docs: auth-and-access, auth-jwt, and auth-infra cross-linked

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 4.8k installs on skills.sh; 2.3k GitHub stars; 0/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

Your agent can walk through documented bypass shapes—collisions, homographs, SRP flaws, and AQL merge abuse—so you can capture flags or stress-test your own auth design.

Step-oriented exploit pattern notes aligned to named CTF sources

Pointers to related JWT and auth-infrastructure attack modules in the repo

Journey fit

Primary fit

Also useful

BuildBackend, data & payments

SKILL.md

READMESKILL.md - Ctf Web

# CTF Web - Auth & Access Control Attacks (Part 2)

2018-era additions: bucket-collision hash auth bypass, Unicode username homograph collision, SRP A=0/A=N bypass, ArangoDB AQL MERGE privilege escalation. For foundational auth/access techniques see [auth-and-access.md](auth-and-access.md). For JWT attacks see [auth-jwt.md](auth-jwt.md). For OAuth/OIDC/SAML/CI-CD, see [auth-infra.md](auth-infra.md).

## Table of Contents
- [std::unordered_set Bucket Collision Auth Bypass (Hackover 2018)](#stdunordered_set-bucket-collision-auth-bypass-hackover-2018)
- [nodeprep.prepare Homograph Username Collision (HCTF 2018)](#nodeprepprepare-homograph-username-collision-hctf-2018)
- [SRP A=0, A=N Auth Bypass (OTW Advent 2018)](#srp-a0-an-auth-bypass-otw-advent-2018)
- [ArangoDB AQL MERGE Injection for Privilege Escalation (P.W.N. CTF 2018)](#arangodb-aql-merge-injection-for-privilege-escalation-pwn-ctf-2018)

---

## std::unordered_set Bucket Collision Auth Bypass (Hackover 2018)

**Pattern:** A C++ backend stores credential hashes in `std::unordered_set<std::string>`. The set's bucket index is derived from only the first bytes of a SHA-512 digest (truncated `size_t` hash). The lookup loop aborts early after a bounded number of bucket probes (`MAX_LOOKUPS = 1000`). Flood the set with 1000+ entries that all collide in the same bucket as the `root` account — the compare for the correct entry never executes and the call returns "found" on an attacker-chosen password.

```cpp
// Vulnerable shape
std::unordered_set<std::string> users;
auto it = users.find(login_key);           // probes at most MAX_LOOKUPS
if (it != users.end()) { /* accepted */ }
```

```python
# Flood registration: every entry collides in root's bucket
import requests
for i in range(1100):
    requests.post("http://target/register",
                  data={"name": f"ro{i:04d}", "password": "ot1"})
# Log in as root with an arbitrary password — loop gives up before compare
requests.post("http://target/login", data={"name": "root", "password": "anything"})
```

**Key insight:** Hash-table implementations that truncate digests into bucket indices expose a second-preimage surface: the attacker only has to match the bucket, not the full hash. When the data structure also has a bounded probe count (DoS guard), flooding the bucket turns an authentication check into an unconditional accept. Any `unordered_map`/`unordered_set` keyed on low-entropy derivations of user input is suspect — watch for `std::hash<std::string>` implementations that reduce to `size_t` via XOR-folding.

**References:** Hackover CTF 2018 — secure-hash, writeup 11502

---

## nodeprep.prepare Homograph Username Collision (HCTF 2018)

**Pattern:** Registration calls Node's `node-xmpp-server` `nodeprep.prepare(username)` which runs RFC-3491/Stringprep normalization. Unicode characters like `ᴬ` (U+1D2C Modifier Letter Capital A) normalize to ASCII `A`, then the existing user lookup finds the already-registered `admin`. Register `ᴬdmin` with any password, and the lookup returns the real admin row — set a new password via a password-reset flow.

```text
username: \u1D2Cdmin   # ᴬdmin
nodeprep.prepare("ᴬdmin") == "admin"
```

**Key insight:** Any pipeline that (1) normalizes usernames before lookup but (2) stores the pre-normalized form separately is vulnerable. Normalize once at write-time and never accept users whose pre-normalized form collides with an existing row. Libraries to audit: `nodeprep`, `icu.normalize`, `unicodedata.normalize`, `golang.org/x/text/secure/precis`.

**References:** HCTF 2018 — admin, writeup 12132

---

## SRP A=0, A=N Auth Bypass (OTW Advent 2018)

**Pattern:** SRP (Secure Remote Password) implementations that do not validate `A % N != 0` allow the client to send `A = 0` (or `A = k*N`). The server computes `S = (A * v^u)^b mod N = 0`, so the session key is `H(0)` — known to the attacker. Bypass login without knowing the password.

```text
Client: sends A = 0
Server: computes S = 0
Session key:

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-web for?

When should I use ctf-web?

Is ctf-web safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-web for?

When should I use ctf-web?

Is ctf-web safe to install?

SKILL.md