Web Security Notes

This page is the central hub for my web security notes, labs, and practical exploitation writeups.
It connects the topics I study and use most often in offensive security work: web reconnaissance, request analysis, XSS, CSRF, SQL injection, SSTI, SSRF, IDOR, patching, and web exploitation workflow.

If you want background about me, certifications, and work history, see the About page.

What This Page Covers

This hub is built around three things:

1. Web application testing methodology.
2. Real exploitation cases and lab writeups.
3. Notes that connect offensive techniques with remediation and engineering context.

Web Security Methodology

For core web security methodology, the best starting point is the OSWA note series:

• OSWA WEB-200 Part 1 for web application reconnaissance, Burp Suite, XSS, CSRF, SQLi, and XML-related attacks.
• OSWA WEB-200 Part 2 for SSTI, command injection, SSRF, IDOR, and common web exploitation patterns.

These two notes form the base of how I approach web application assessment: identify the attack surface, understand trust boundaries, validate inputs and outputs, then move toward exploitation only after the application model is clear.

Exploitation Cases and Practical Writeups

The following writeups are the most relevant if you want concrete web exploitation cases instead of theory:

• HackTheBox: Neonify for web-oriented attack surface analysis and exploitation flow.
• HackTheBox: LoveTok for enumeration and vulnerability discovery in a web challenge context.
• HackTheBox: RenderQuest for web exploitation workflow and attack path construction.
• HackTheBox: jscalc for code review, vulnerability discovery, and exploitation.
• HackTheBox: Code for a broader exploitation chain with application analysis and foothold development.
• HackTheBox: Codify for application analysis, initial access, and post-exploitation context.

These posts matter for SEO because they are not generic summaries. They show how I actually reason through a target, reduce possibilities, validate assumptions, and build an exploit path from observed behavior.

Patch and Remediation Perspective

Web security content is stronger when it is not limited to offense. I also keep notes that connect exploitation with remediation:

• picoCTF: caas Writeup & Patch for both the vulnerability and the patching direction.
• Calibre CVE: CVE-2024-6782 for affected versions, vulnerability context, and risk framing.

That patch-oriented angle helps separate practical security engineering from purely challenge-based writeups.

Supporting Infrastructure and Deployment Topics

Web security testing often depends on knowing how real services are deployed and maintained. These supporting notes are useful in that context:

• Apache SSL 憑證申請安裝 for certificate request and deployment basics.
• Apache SSL 憑證更換 for certificate replacement workflow.
• Github Visitor Counter 安裝指南 ｜Cloudflare Workers + KV for a practical web-related deployment example in Traditional Chinese.
• Github Visitor Counter Installation Guide｜Cloudflare Workers + KV for the English version.

Recommended Reading Path

If your goal is to learn web security from this site in a sensible order, start here:

1. OSWA WEB-200 Part 1
2. OSWA WEB-200 Part 2
3. picoCTF: caas Writeup & Patch
4. A few targeted HTB web writeups such as HackTheBox: jscalc and HackTheBox: RenderQuest

Why These Web Security Notes Exist

I am not trying to build a generic glossary page for web security.
This hub exists to connect real web testing notes, labs, exploitation cases, and patching examples from my own study and practice so the material is easier to navigate and compare.

For broader offensive security coverage beyond web applications, continue with Penetration Testing Notes: Recon, Web, Privilege Escalation, AD, and Pivoting and Red Team Notes: OPSEC, Lateral Movement, AD Persistence, and Operator Workflow.