Web Services


Web Basics.

How applications communicate over the web



Challenges

Static vs Dynamic

🎯 What You'll Learn

  • Difference between static and dynamic content
  • How servers generate responses
  • When each is used

📖 The Concept

Static Content

Files served exactly as stored on disk.

Request:  GET /about.html
Server:   Reads /var/www/about.html from disk
Response: Exact file contents

Characteristics:

  • Same content for everyone
  • Fast (just read and send)
  • Cacheable
  • Examples: HTML, CSS, JS, images

Dynamic Content

Content generated by code at request time.

Request:  GET /profile
Server:   Runs code, queries database, builds response
Response: Personalized content

Characteristics:

  • Can vary per user/request
  • Slower (computation needed)
  • Often not cacheable
  • Examples: User profiles, search results, dashboards

How to Spot the Difference

# Static: File extension, same content always
curl http://site.com/style.css
curl http://site.com/logo.png

# Dynamic: Different results, personalization
curl http://site.com/api/time       # Changes every second
curl http://site.com/search?q=hello # Different query = different result

🚀 Your Challenge

The server has both static and dynamic endpoints. Find the dynamic one that generates the flag!

Static endpoints return the same content every time. Dynamic endpoints may return different content.

curl http://challenge/static/page.html
curl http://challenge/dynamic/generate

Which one gives you the flag?

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

Content Types

🎯 What You'll Learn

  • MIME types and Content-Type header
  • Common content types
  • Accept header for content negotiation

📖 The Concept

The Content-Type header tells the client what kind of data the server is sending.

Common MIME Types

Type MIME Description
HTML text/html Web pages
Plain text text/plain Simple text
JSON application/json API data
XML application/xml Structured data
CSS text/css Stylesheets
JavaScript application/javascript Scripts
PNG image/png Images
PDF application/pdf Documents

Content-Type Header

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{"name": "John", "age": 30}

Accept Header (Client Request)

Clients can request specific formats:

# Request JSON
curl -H "Accept: application/json" http://api.example.com/data

# Request XML
curl -H "Accept: application/xml" http://api.example.com/data

# Accept anything
curl -H "Accept: */*" http://api.example.com/data

Content Negotiation

Server returns different formats based on what client accepts!

🚀 Your Challenge

The server can respond in different formats. Request the right Content-Type to get the flag!

curl http://challenge/data                              # Default (text)
curl -H "Accept: application/json" http://challenge/data  # JSON
curl -H "Accept: application/xml" http://challenge/data   # XML

The flag is only in ONE format. Find it!

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

Simple API

🎯 What You'll Learn

  • What an API is
  • REST API basics
  • Making API requests with curl

📖 The Concept

An API (Application Programming Interface) lets programs talk to each other.

Web APIs

Instead of HTML pages, APIs return structured data (usually JSON).

Browser:  GET /about  →  <html>About Us</html>
API:      GET /api/users  →  [{"name": "John"}, {"name": "Jane"}]

REST API Conventions

REST APIs use URLs as resource identifiers:

GET    /api/users       - List all users
GET    /api/users/123   - Get user 123
POST   /api/users       - Create new user
PUT    /api/users/123   - Update user 123
DELETE /api/users/123   - Delete user 123

Making API Requests

# GET request (retrieve data)
curl http://api.example.com/users

# POST request (send data)
curl -X POST -H "Content-Type: application/json" \
  -d '{"name": "John"}' http://api.example.com/users

# With authentication
curl -H "Authorization: Bearer TOKEN" http://api.example.com/users

API Response

{
    "status": "success",
    "data": {
        "id": 1,
        "name": "John"
    }
}

🚀 Your Challenge

Interact with the API to get the flag:

  1. First, explore the API: curl http://challenge/api
  2. List available endpoints: curl http://challenge/api/endpoints
  3. Authenticate: curl http://challenge/api/auth?key=api-learner
  4. Get the flag: curl http://challenge/api/flag?token=YOUR_TOKEN

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

Request Methods

🎯 What You'll Learn

  • All major HTTP methods
  • When to use each method
  • Method semantics and conventions

📖 The Concept

HTTP methods tell the server what action you want to perform.

The Main Methods

Method Purpose Has Body? Safe? Idempotent?
GET Retrieve data No Yes Yes
POST Create/submit Yes No No
PUT Replace/update Yes No Yes
PATCH Partial update Yes No No
DELETE Remove Optional No Yes
HEAD Get headers only No Yes Yes
OPTIONS Get allowed methods No Yes Yes

Safe vs Idempotent

  • Safe: Doesn't change server state (GET, HEAD)
  • Idempotent: Same result if repeated (GET, PUT, DELETE)

Using Methods with curl

curl http://example.com                    # GET (default)
curl -X POST -d "data" http://example.com  # POST
curl -X PUT -d "data" http://example.com   # PUT
curl -X DELETE http://example.com          # DELETE
curl -X PATCH -d "data" http://example.com # PATCH
curl -I http://example.com                 # HEAD
curl -X OPTIONS http://example.com         # OPTIONS

🚀 Your Challenge

The vault requires you to use the correct HTTP method sequence!

  1. Check what methods are allowed: curl -X OPTIONS http://challenge/vault
  2. First, knock with HEAD: curl -I http://challenge/vault
  3. Then enter with the right method revealed in step 2!

Good luck! 🍀

Connect with SSH

Link your SSH key, then connect with: ssh hacker@dojo.idg.ctf

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score