WinjaCTF Official Writeup | c0c0n 2021

Hi there! This blog contains the write-up for 1 android and 4 web challenges which I created for Winja CTF for the c0c0n 2021 event. This was my first time creating the CTF challenges. Hope you had fun/learned something new while solving the challenges.

Pikashow App Reversing

Hi there! I have always wondered how the apps like Thoptv, Pikashow give free content/channels which are not free from different providers like Netflix, Amazon Prime, Hotstar, etc to the users. So this time, I decided to reverse the Pikashow app with a beginner level of knowledge in android reversing and try to look into how it is exactly working and can we directly access the content without seeing the ads while streaming in the app.

My First Bounty

Hi there! I spent some time trying to find out the bugs in the sites which I mostly use like Swiggy, Paytm, and on Bugv platform. I was mostly looking for the vulnerabilities like SQLi, XSS, XXE, SSRF, etc. and couldn’t not able to find a vulnerability that was of high impact or critical.

Authentication And Authorization

Hi there!, This is the Fifth topic in this series. You can have a look at other topics also for getting a better idea about the series and the pattern. Fifth Topic - Authentication and Authorisation As I started exploring these topics in detail, I mostly focused on two widely used standard which is SAML and OAuth 2.

NoSqli

Hi there!, This is the fourth topic in this series. You can have a look at other topics also for getting a better idea about the series and the pattern. Fourth Topic - NoSql Injection Resources https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection (Owasp Ref) https://www.netsparker.com/blog/web-security/what-is-nosql-injection/ (NetSparker Blog) https://geekflare.