arkark/my-ctf-challenges
GitHub: arkark/my-ctf-challenges
收录作者在 SECCON、ASIS、IERAE 等国际 CTF 赛事中创建的 Web 安全与沙箱逃逸题目,附带难度评级和解题分析。
Stars: 75 | Forks: 8
# 我的 CTF 题目
这是我创建的 CTF 题目的仓库。享受 CTF 的乐趣吧 :sunglasses:
### 目录
- [SECCON CTF 14 Finals](#seccon-ctf-14-finals)
- [SECCON CTF 14 Quals](#seccon-ctf-14-quals)
- [ICC TOKYO 2025](#icc-tokyo-2025)
- [ASIS CTF Quals 2025](#asis-ctf-quals-2025)
- [IERAE CTF 2025](#ierae-ctf-2025)
- [AlpacaHack Round 11 (Web)](#alpacahack-round-11-web)
- [SECCON CTF 13 Finals](#seccon-ctf-13-finals)
- [ASIS CTF Finals 2024](#asis-ctf-finals-2024)
- [AlpacaHack Round 7 (Web)](#alpacahack-round-7-web)
- [SECCON CTF 13 Quals](#seccon-ctf-13-quals)
- [IERAE CTF 2024](#ierae-ctf-2024)
- [AlpacaHack Round 2 (Web)](#alpacahack-round-2-web)
- [SECCON CTF 2023 Finals](#seccon-ctf-2023-finals)
- [IERAE DAYS CTF 2023](#ierae-days-ctf-2023)
- [SECCON CTF 2023 Quals](#seccon-ctf-2023-quals)
- [SECCON CTF 2022 Finals](#seccon-ctf-2022-finals)
- [SECCON CTF 2022 Quals](#seccon-ctf-2022-quals)
- [SECCON CTF 2021](#seccon-ctf-2021)
## SECCON CTF 14 Finals
链接: [CTFtime (国际)](https://ctftime.org/event/3106) / [CTFtime (国内)](https://ctftime.org/event/3107)
|题目|类别|解出数 / 9
(国际)|解出数 / 9
(国内)|难度|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[Warpup](challenges/202603_SECCON_CTF_14_Finals/web/warpup)|web|9|9|★|stream| |[DOMDOMDOMPurify](challenges/202603_SECCON_CTF_14_Finals/web/domdomdom)|web|9|9|★|DOMPurify, mXSS| |[Shadow CSS](challenges/202603_SECCON_CTF_14_Finals/web/shadow-css)|web|1|0|★★★|Firefox, Link| |[Slay the Note](challenges/202603_SECCON_CTF_14_Finals/web/slay-the-note)|web|0|0|★★★|cookie parser| |[increasing](challenges/202603_SECCON_CTF_14_Finals/jail/increasing)|jail|4|4|★★|pyjail| ## SECCON CTF 14 Quals 链接: [CTFtime](https://ctftime.org/event/2862/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[framed-xss](challenges/202512_SECCON_CTF_14_Quals/web/framed-xss)|web|7|★★★★|-|Chrome, request initiator| |[impossible-leak](challenges/202512_SECCON_CTF_14_Quals/web/impossible-leak)|web|1|★★★★★|[链接](https://blog.arkark.dev/2025/12/26/etag-length-leak)|XSLeak, ETag| |[broken-json](challenges/202512_SECCON_CTF_14_Quals/jail/broken-json)|jail|166|★|-|jsjail| |[excepython](challenges/202512_SECCON_CTF_14_Quals/jail/excepython)|jail|69|★★|-|pyjail| |[proxy-chain](challenges/202512_SECCON_CTF_14_Quals/jail/proxy-chain)|jail|3|★★★★|-|jsjail, Proxy| ## ICC TOKYO 2025 链接: [网站](https://icctokyo2025.nisc.go.jp/) / [官方仓库](https://github.com/ctfplatform/icc-2025-jeopardy-problems) |题目|类别|解出数 / 8|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[XSP-Leak](challenges/202511_ICC_TOKYO_2025/web/xsp-leak)|web|4|★★★|[链接](challenges/202511_ICC_TOKYO_2025/web/xsp-leak/solution/README.md)|XSLeak| ## ASIS CTF Quals 2025 链接: [CTFtime](https://ctftime.org/event/2612/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[pure-leak](challenges/202509_ASIS_CTF_Quals_2025/web/pure-leak)|web|2|★★★★|[链接](https://blog.arkark.dev/2025/09/08/asisctf-quals)|quirks mode, CSS injection| ## IERAE CTF 2025 链接: [CTFtime](https://ctftime.org/event/2655/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[Warmdown](challenges/202506_IERAE_CTF_2025/web/warmdown)|web|135|★|[链接 (日语)](https://gmo-cybersecurity.com/blog/ierae-ctf-2025-writeup-web/#warmdown)|XSS| |[canvasbox](challenges/202506_IERAE_CTF_2025/web/canvasbox)|web|16|★★★|[链接 (日语)](https://gmo-cybersecurity.com/blog/ierae-ctf-2025-writeup-web/#canvasbox)|DOM, sandbox| ## AlpacaHack Round 11 (Web) 为期 6 小时的个人赛。 链接: [CTFtime](https://ctftime.org/event/2710) / [网站](https://alpacahack.com/ctfs/round-11) |题目|类别|解出数|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:| |[Jackpot](challenges/202505_AlpacaHack_Round_11/web/jackpot)|web|63|-|Python, Unicode| |[Redirector](challenges/202505_AlpacaHack_Round_11/web/redirector)|web|6|-|XSS, JavaScript| |[Tiny Note](challenges/202505_AlpacaHack_Round_11/web/tiny-note)|web|4|-|pickle| |[AlpacaMark](challenges/202505_AlpacaHack_Round_11/web/alpaca-mark)|web|3|[链接](https://blog.arkark.dev/2025/05/30/alpaca-mark)|DOM Clobbering, PP, iframe| |[AlpacaMark Revenge](challenges/202505_AlpacaHack_Round_11/web/alpaca-mark-revenge)|web|(CTF 后发布)|[链接](https://blog.arkark.dev/2025/05/30/alpaca-mark)|DOM Clobbering, PP, iframe| ## SECCON CTF 13 Finals 链接: [CTFtime (国际)](https://ctftime.org/event/2649) / [CTFtime (国内)](https://ctftime.org/event/2650) |题目|类别|解出数 / 9
(国际)|解出数 / 9
(国内)|难度|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[purexss](challenges/202503_SECCON_CTF_13_Finals/web/purexss)|web|4|1|★★|XSS, ISO-2022-JP| |[twisty-xss](challenges/202503_SECCON_CTF_13_Finals/web/twisty-xss)|web|3|0|★★★|XSS, puzzle| |[witchnote](challenges/202503_SECCON_CTF_13_Finals/web/witchnote)|web|1|0|★★★|XSS, disk cache| |[pp3](challenges/202503_SECCON_CTF_13_Finals/jail/pp3)|jail|0|0|★★★|jsf**k, prototype pollution| ## ASIS CTF Finals 2024 链接: [CTFtime](https://ctftime.org/event/2403/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[fetch-box](challenges/202412_ASIS_CTF_Finals_2024/web/fetch-box)|web, misc|19|★★|[链接](https://blog.arkark.dev/2024/12/30/asisctf-finals/#web-misc-fetch-box)|fetch, sandbox| |[fire-leak](challenges/202412_ASIS_CTF_Finals_2024/web/fire-leak)|web|1|★★★★|[链接](https://blog.arkark.dev/2024/12/30/asisctf-finals/#web-fire-leak)|XSLeak, ReDoS| ## AlpacaHack Round 7 (Web) 为期 6 小时的个人赛。 链接: [CTFtime](https://ctftime.org/event/2544) / [网站](https://alpacahack.com/ctfs/round-7) |题目|类别|解出数|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:| |[Treasure Hunt](challenges/202411_AlpacaHack_Round_7/web/treasure-hunt)|web|71|[链接 (日语)](https://blog.arkark.dev/2024/12/01/alpacahack-round-7/#treasure-hunt)|URL 编码| |[minimal-waf](challenges/202411_AlpacaHack_Round_7/web/minimal-waf)|web|4|[链接 (日语)](https://blog.arkark.dev/2024/12/01/alpacahack-round-7/#minimal-waf)|XSS| |[disconnection](challenges/202411_AlpacaHack_Round_7/web/disconnection)|web|5|TODO|浏览器行为| |[disconnection-revenge](challenges/202411_AlpacaHack_Round_7/web/disconnection-revenge)|web|1|TODO|浏览器行为| ## SECCON CTF 13 Quals 链接: [CTFtime](https://ctftime.org/event/2478/) |题目|类别|解出数|难度|关键词|共同作者| |:-:|:-:|:-:|:-:|:-:|:-:| |[Trillion Bank](challenges/202411_SECCON_CTF_13_Quals/web/trillion-bank)|web|84|★|MySQL|| |[self-ssrf](challenges/202411_SECCON_CTF_13_Quals/web/self-ssrf)|web|23|★★|URL 解析器, Bun|| |[double-parser](challenges/202411_SECCON_CTF_13_Quals/web/double-parser)|web|17|★★|HTML 解析器, XSS|| |[pp4](challenges/202411_SECCON_CTF_13_Quals/jail/pp4)|jail|41|★|jsf**k, prototype pollution|| |[1linepyjail](challenges/202411_SECCON_CTF_13_Quals/jail/1linepyjail)|jail|15|★★|pyjail|| |[Go to Jail](challenges/202411_SECCON_CTF_13_Quals/jail/go-to-jail)|jail|6|★★★|Go, polyglot, code golf|| |[voidbox](challenges/202411_SECCON_CTF_13_Quals/jail/voidbox)|jail|3|★★★★|JavaScript, 沙箱逃逸|[Satoooon](https://x.com/Satoooon1024)| ## IERAE CTF 2024 链接: [CTFtime](https://ctftime.org/event/2441/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[5](challenges/202409_IERAE_CTF_2024/misc/five)|misc|8|★|-|Bun| |[Leak! Leak! Leak!](challenges/202409_IERAE_CTF_2024/web/leakleakleak)|web|3|★★★★|[链接 (日语)](https://gmo-cybersecurity.com/blog/ierae-ctf-2024-writeup-web/#leakleakleak)|XS-Leak, CSP| ## AlpacaHack Round 2 (Web) 为期 6 小时的个人赛。 链接: [CTFtime](https://ctftime.org/event/2465) / [网站](https://alpacahack.com/ctfs/round-2) |题目|类别|解出数|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:| |[Simple Login](challenges/202409_AlpacaHack_Round_2/web/simple-login)|web|84|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#simple-login)|SQL 注入| |[Pico Note 1](challenges/202409_AlpacaHack_Round_2/web/pico-note-1)|web|10|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#pico-note-1)|CSP 绕过, JavaScript| |[CaaS](challenges/202409_AlpacaHack_Round_2/web/caas)|web|13|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#caas)|RCE, Perl| |[Pico Note 2](challenges/202409_AlpacaHack_Round_2/web/pico-note-2)|web|3|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#pico-note-2)|Import Maps| ## SECCON CTF 2023 Finals 链接: [CTFtime (国际)](https://ctftime.org/event/2159) / [CTFtime (国内)](https://ctftime.org/event/2160) |题目|类别|解出数 / 12
(国际)|解出数 / 12
(国内)|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:|:-:| |[babywaf](challenges/202312_SECCON_CTF_2023_Finals/web/babywaf)|web|8|4|★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-babywaf)|WAF 绕过| |[cgi-2023](challenges/202312_SECCON_CTF_2023_Finals/web/cgi-2023)|web|5|2|★★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-cgi-2023)|XS-Leak, 子资源完整性| |[LemonMD](challenges/202312_SECCON_CTF_2023_Finals/web/lemonmd)|web|2|1|★★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-lemonmd)|Fresh, Islands Architecture| |[DOMLeakify](challenges/202312_SECCON_CTF_2023_Finals/web/domleakify)|web|1|0|★★★★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-domleakify)|style 属性上的 CSS 注入| |[whitespace.js](challenges/202312_SECCON_CTF_2023_Finals/misc/whitespace-js)|misc|2|2|★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#misc-whitespace-js)|JavaScript 沙箱| ## IERAE DAYS CTF 2023 现场本地活动: 2023 年 12 月 7 日,星期四 链接: [仓库](https://github.com/gmo-ierae/ierae-days-ctf-2023) |题目|类别|关键词| |:-:|:-:|:-:| |[simple-proxy](challenges/202312_IERAE_DAYS_CTF_2023/web/simple-proxy)|web|请求目标| ## SECCON CTF 2023 Quals 链接: [CTFtime](https://ctftime.org/event/2003/) |题目|类别|解出数 / 653|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[blink](challenges/202309_SECCON_CTF_2023_Quals/web/blink)|web|14|★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#web-blink)|DOM clobbering| |[eeeeejs](challenges/202309_SECCON_CTF_2023_Quals/web/eeeeejs)|web|12|★★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#web-eeeeejs)|ejs, XSS puzzle| |[hidden-note](challenges/202309_SECCON_CTF_2023_Quals/web/hidden-note)|web|1|★★★★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#web-hidden-note)|XS-Leak, 不稳定排序| |[crabox](challenges/202309_SECCON_CTF_2023_Quals/sandbox/crabox)|sandbox|53|★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#sandbox-crabox)|Rust 沙箱| |[node-ppjail](challenges/202309_SECCON_CTF_2023_Quals/sandbox/node-ppjail)|sandbox|5|★★★|[链接https://blog.arkark.dev/2023/09/21/seccon-quals/#sandbox-node-ppjail)|prototype pollution| |[deno-ppjail](challenges/202309_SECCON_CTF_2023_Quals/sandbox/deno-ppjail)|sandbox|2|★★★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#sandbox-deno-ppjail)|prototype pollution| ## SECCON CTF 2022 Finals 链接: [CTFtime (国际)](https://ctftime.org/event/1864) / [CTFtime (国内)](https://ctftime.org/event/1863) |题目|类别|解出数 / 10
(国际)|解出数 / 12
(国内)|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:|:-:| |[babybox](challenges/202302_SECCON_CTF_2022_Finals/web/babybox)|web|6|4|★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-100-babybox)|prototype pollution| |[easylfi2](challenges/202302_SECCON_CTF_2022_Finals/web/easylfi2)|web|10|8|★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-200-easylfi2)|LFI, curl| |[MaaS](challenges/202302_SECCON_CTF_2022_Finals/web/maas)|web|3|1|★★★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-maas)|换行符规范化, CSP 绕过| |[light-note](challenges/202302_SECCON_CTF_2022_Finals/web/light-note)|web|0|0|★★★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-light-note)|DOM clobbering, Sanitizer API| |[dark-note](challenges/202302_SECCON_CTF_2022_Finals/web/dark-note)|web|0|0|★★★★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-500-dark-note)|基于时间的盲注| ## SECCON CTF 2022 Quals 链接: [CTFtime](https://ctftime.org/event/1764) |题目|类别|解出数 / 726|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[skipinx](challenges/202211_SECCON_CTF_2022_Quals/web/skipinx)|web|102|★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-skipinx)|查询解析器| |[easylfi](challenges/202211_SECCON_CTF_2022_Quals/web/easylfi)|web|62|★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi)|LFI, curl| |[bffcalc](challenges/202211_SECCON_CTF_2022_Quals/web/bffcalc)|web|41|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-bffcalc)|HTTP 请求拆分| |[piyosay](challenges/202211_SECCON_CTF_2022_Quals/web/piyosay)|web|19|★★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay)|Trusted Types, DOMPurify, RegExp| |[denobox](challenges/202211_SECCON_CTF_2022_Quals/web/denobox)|web|1|★★★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-denobox)|prototype pollution, import maps | |[spanote](challenges/202211_SECCON_CTF_2022_Quals/web/spanote)|web|1|★★★★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote)|Chrome, 磁盘缓存, bfcache| |[latexipy](challenges/202211_SECCON_CTF_2022_Quals/misc/latexipy)|misc|8|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy)|pyjail, 魔法注释| |[txtchecker](challenges/202211_SECCON_CTF_2022_Quals/misc/txtchecker)|misc|23|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-txtchecker)|magic 文件, ReDoS| |[noiseccon](challenges/202211_SECCON_CTF_2022_Quals/misc/noiseccon)|misc|22|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-noiseccon)|柏林噪声| ## SECCON CTF 2021 链接: [CTFtime](https://ctftime.org/event/1458) |题目|类别|解出数 / 506|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[Sequence as a Service 1](challenges/202112_SECCON_CTF_2021/web/sequence-as-a-service-1)|web|20|★★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#sequence-as-a-service-1)|JavaScript 沙箱| |[Sequence as a Service 2](challenges/202112_SECCON_CTF_2021/web/sequence-as-a-service-2)|web|19|★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#sequence-as-a-service-2)|JavaScript 沙箱| |[Cookie Spinner](challenges/202112_SECCON_CTF_2021/web/cookie-spinner)|web|7|★★★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#cookie-spinner)|DOM clobbering| |[x-note](challenges/202112_SECCON_CTF_2021/web/x-note)|web|3|★★★★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#x-note)|XS-Search|
(国际)|解出数 / 9
(国内)|难度|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[Warpup](challenges/202603_SECCON_CTF_14_Finals/web/warpup)|web|9|9|★|stream| |[DOMDOMDOMPurify](challenges/202603_SECCON_CTF_14_Finals/web/domdomdom)|web|9|9|★|DOMPurify, mXSS| |[Shadow CSS](challenges/202603_SECCON_CTF_14_Finals/web/shadow-css)|web|1|0|★★★|Firefox, Link| |[Slay the Note](challenges/202603_SECCON_CTF_14_Finals/web/slay-the-note)|web|0|0|★★★|cookie parser| |[increasing](challenges/202603_SECCON_CTF_14_Finals/jail/increasing)|jail|4|4|★★|pyjail| ## SECCON CTF 14 Quals 链接: [CTFtime](https://ctftime.org/event/2862/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[framed-xss](challenges/202512_SECCON_CTF_14_Quals/web/framed-xss)|web|7|★★★★|-|Chrome, request initiator| |[impossible-leak](challenges/202512_SECCON_CTF_14_Quals/web/impossible-leak)|web|1|★★★★★|[链接](https://blog.arkark.dev/2025/12/26/etag-length-leak)|XSLeak, ETag| |[broken-json](challenges/202512_SECCON_CTF_14_Quals/jail/broken-json)|jail|166|★|-|jsjail| |[excepython](challenges/202512_SECCON_CTF_14_Quals/jail/excepython)|jail|69|★★|-|pyjail| |[proxy-chain](challenges/202512_SECCON_CTF_14_Quals/jail/proxy-chain)|jail|3|★★★★|-|jsjail, Proxy| ## ICC TOKYO 2025 链接: [网站](https://icctokyo2025.nisc.go.jp/) / [官方仓库](https://github.com/ctfplatform/icc-2025-jeopardy-problems) |题目|类别|解出数 / 8|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[XSP-Leak](challenges/202511_ICC_TOKYO_2025/web/xsp-leak)|web|4|★★★|[链接](challenges/202511_ICC_TOKYO_2025/web/xsp-leak/solution/README.md)|XSLeak| ## ASIS CTF Quals 2025 链接: [CTFtime](https://ctftime.org/event/2612/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[pure-leak](challenges/202509_ASIS_CTF_Quals_2025/web/pure-leak)|web|2|★★★★|[链接](https://blog.arkark.dev/2025/09/08/asisctf-quals)|quirks mode, CSS injection| ## IERAE CTF 2025 链接: [CTFtime](https://ctftime.org/event/2655/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[Warmdown](challenges/202506_IERAE_CTF_2025/web/warmdown)|web|135|★|[链接 (日语)](https://gmo-cybersecurity.com/blog/ierae-ctf-2025-writeup-web/#warmdown)|XSS| |[canvasbox](challenges/202506_IERAE_CTF_2025/web/canvasbox)|web|16|★★★|[链接 (日语)](https://gmo-cybersecurity.com/blog/ierae-ctf-2025-writeup-web/#canvasbox)|DOM, sandbox| ## AlpacaHack Round 11 (Web) 为期 6 小时的个人赛。 链接: [CTFtime](https://ctftime.org/event/2710) / [网站](https://alpacahack.com/ctfs/round-11) |题目|类别|解出数|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:| |[Jackpot](challenges/202505_AlpacaHack_Round_11/web/jackpot)|web|63|-|Python, Unicode| |[Redirector](challenges/202505_AlpacaHack_Round_11/web/redirector)|web|6|-|XSS, JavaScript| |[Tiny Note](challenges/202505_AlpacaHack_Round_11/web/tiny-note)|web|4|-|pickle| |[AlpacaMark](challenges/202505_AlpacaHack_Round_11/web/alpaca-mark)|web|3|[链接](https://blog.arkark.dev/2025/05/30/alpaca-mark)|DOM Clobbering, PP, iframe| |[AlpacaMark Revenge](challenges/202505_AlpacaHack_Round_11/web/alpaca-mark-revenge)|web|(CTF 后发布)|[链接](https://blog.arkark.dev/2025/05/30/alpaca-mark)|DOM Clobbering, PP, iframe| ## SECCON CTF 13 Finals 链接: [CTFtime (国际)](https://ctftime.org/event/2649) / [CTFtime (国内)](https://ctftime.org/event/2650) |题目|类别|解出数 / 9
(国际)|解出数 / 9
(国内)|难度|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[purexss](challenges/202503_SECCON_CTF_13_Finals/web/purexss)|web|4|1|★★|XSS, ISO-2022-JP| |[twisty-xss](challenges/202503_SECCON_CTF_13_Finals/web/twisty-xss)|web|3|0|★★★|XSS, puzzle| |[witchnote](challenges/202503_SECCON_CTF_13_Finals/web/witchnote)|web|1|0|★★★|XSS, disk cache| |[pp3](challenges/202503_SECCON_CTF_13_Finals/jail/pp3)|jail|0|0|★★★|jsf**k, prototype pollution| ## ASIS CTF Finals 2024 链接: [CTFtime](https://ctftime.org/event/2403/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[fetch-box](challenges/202412_ASIS_CTF_Finals_2024/web/fetch-box)|web, misc|19|★★|[链接](https://blog.arkark.dev/2024/12/30/asisctf-finals/#web-misc-fetch-box)|fetch, sandbox| |[fire-leak](challenges/202412_ASIS_CTF_Finals_2024/web/fire-leak)|web|1|★★★★|[链接](https://blog.arkark.dev/2024/12/30/asisctf-finals/#web-fire-leak)|XSLeak, ReDoS| ## AlpacaHack Round 7 (Web) 为期 6 小时的个人赛。 链接: [CTFtime](https://ctftime.org/event/2544) / [网站](https://alpacahack.com/ctfs/round-7) |题目|类别|解出数|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:| |[Treasure Hunt](challenges/202411_AlpacaHack_Round_7/web/treasure-hunt)|web|71|[链接 (日语)](https://blog.arkark.dev/2024/12/01/alpacahack-round-7/#treasure-hunt)|URL 编码| |[minimal-waf](challenges/202411_AlpacaHack_Round_7/web/minimal-waf)|web|4|[链接 (日语)](https://blog.arkark.dev/2024/12/01/alpacahack-round-7/#minimal-waf)|XSS| |[disconnection](challenges/202411_AlpacaHack_Round_7/web/disconnection)|web|5|TODO|浏览器行为| |[disconnection-revenge](challenges/202411_AlpacaHack_Round_7/web/disconnection-revenge)|web|1|TODO|浏览器行为| ## SECCON CTF 13 Quals 链接: [CTFtime](https://ctftime.org/event/2478/) |题目|类别|解出数|难度|关键词|共同作者| |:-:|:-:|:-:|:-:|:-:|:-:| |[Trillion Bank](challenges/202411_SECCON_CTF_13_Quals/web/trillion-bank)|web|84|★|MySQL|| |[self-ssrf](challenges/202411_SECCON_CTF_13_Quals/web/self-ssrf)|web|23|★★|URL 解析器, Bun|| |[double-parser](challenges/202411_SECCON_CTF_13_Quals/web/double-parser)|web|17|★★|HTML 解析器, XSS|| |[pp4](challenges/202411_SECCON_CTF_13_Quals/jail/pp4)|jail|41|★|jsf**k, prototype pollution|| |[1linepyjail](challenges/202411_SECCON_CTF_13_Quals/jail/1linepyjail)|jail|15|★★|pyjail|| |[Go to Jail](challenges/202411_SECCON_CTF_13_Quals/jail/go-to-jail)|jail|6|★★★|Go, polyglot, code golf|| |[voidbox](challenges/202411_SECCON_CTF_13_Quals/jail/voidbox)|jail|3|★★★★|JavaScript, 沙箱逃逸|[Satoooon](https://x.com/Satoooon1024)| ## IERAE CTF 2024 链接: [CTFtime](https://ctftime.org/event/2441/) |题目|类别|解出数|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[5](challenges/202409_IERAE_CTF_2024/misc/five)|misc|8|★|-|Bun| |[Leak! Leak! Leak!](challenges/202409_IERAE_CTF_2024/web/leakleakleak)|web|3|★★★★|[链接 (日语)](https://gmo-cybersecurity.com/blog/ierae-ctf-2024-writeup-web/#leakleakleak)|XS-Leak, CSP| ## AlpacaHack Round 2 (Web) 为期 6 小时的个人赛。 链接: [CTFtime](https://ctftime.org/event/2465) / [网站](https://alpacahack.com/ctfs/round-2) |题目|类别|解出数|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:| |[Simple Login](challenges/202409_AlpacaHack_Round_2/web/simple-login)|web|84|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#simple-login)|SQL 注入| |[Pico Note 1](challenges/202409_AlpacaHack_Round_2/web/pico-note-1)|web|10|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#pico-note-1)|CSP 绕过, JavaScript| |[CaaS](challenges/202409_AlpacaHack_Round_2/web/caas)|web|13|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#caas)|RCE, Perl| |[Pico Note 2](challenges/202409_AlpacaHack_Round_2/web/pico-note-2)|web|3|[链接 (日语)](https://blog.arkark.dev/2024/09/04/alpacahack-round-2/#pico-note-2)|Import Maps| ## SECCON CTF 2023 Finals 链接: [CTFtime (国际)](https://ctftime.org/event/2159) / [CTFtime (国内)](https://ctftime.org/event/2160) |题目|类别|解出数 / 12
(国际)|解出数 / 12
(国内)|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:|:-:| |[babywaf](challenges/202312_SECCON_CTF_2023_Finals/web/babywaf)|web|8|4|★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-babywaf)|WAF 绕过| |[cgi-2023](challenges/202312_SECCON_CTF_2023_Finals/web/cgi-2023)|web|5|2|★★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-cgi-2023)|XS-Leak, 子资源完整性| |[LemonMD](challenges/202312_SECCON_CTF_2023_Finals/web/lemonmd)|web|2|1|★★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-lemonmd)|Fresh, Islands Architecture| |[DOMLeakify](challenges/202312_SECCON_CTF_2023_Finals/web/domleakify)|web|1|0|★★★★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#web-domleakify)|style 属性上的 CSS 注入| |[whitespace.js](challenges/202312_SECCON_CTF_2023_Finals/misc/whitespace-js)|misc|2|2|★★|[链接](https://blog.arkark.dev/2023/12/28/seccon-finals/#misc-whitespace-js)|JavaScript 沙箱| ## IERAE DAYS CTF 2023 现场本地活动: 2023 年 12 月 7 日,星期四 链接: [仓库](https://github.com/gmo-ierae/ierae-days-ctf-2023) |题目|类别|关键词| |:-:|:-:|:-:| |[simple-proxy](challenges/202312_IERAE_DAYS_CTF_2023/web/simple-proxy)|web|请求目标| ## SECCON CTF 2023 Quals 链接: [CTFtime](https://ctftime.org/event/2003/) |题目|类别|解出数 / 653|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[blink](challenges/202309_SECCON_CTF_2023_Quals/web/blink)|web|14|★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#web-blink)|DOM clobbering| |[eeeeejs](challenges/202309_SECCON_CTF_2023_Quals/web/eeeeejs)|web|12|★★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#web-eeeeejs)|ejs, XSS puzzle| |[hidden-note](challenges/202309_SECCON_CTF_2023_Quals/web/hidden-note)|web|1|★★★★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#web-hidden-note)|XS-Leak, 不稳定排序| |[crabox](challenges/202309_SECCON_CTF_2023_Quals/sandbox/crabox)|sandbox|53|★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#sandbox-crabox)|Rust 沙箱| |[node-ppjail](challenges/202309_SECCON_CTF_2023_Quals/sandbox/node-ppjail)|sandbox|5|★★★|[链接https://blog.arkark.dev/2023/09/21/seccon-quals/#sandbox-node-ppjail)|prototype pollution| |[deno-ppjail](challenges/202309_SECCON_CTF_2023_Quals/sandbox/deno-ppjail)|sandbox|2|★★★★|[链接](https://blog.arkark.dev/2023/09/21/seccon-quals/#sandbox-deno-ppjail)|prototype pollution| ## SECCON CTF 2022 Finals 链接: [CTFtime (国际)](https://ctftime.org/event/1864) / [CTFtime (国内)](https://ctftime.org/event/1863) |题目|类别|解出数 / 10
(国际)|解出数 / 12
(国内)|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:|:-:| |[babybox](challenges/202302_SECCON_CTF_2022_Finals/web/babybox)|web|6|4|★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-100-babybox)|prototype pollution| |[easylfi2](challenges/202302_SECCON_CTF_2022_Finals/web/easylfi2)|web|10|8|★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-200-easylfi2)|LFI, curl| |[MaaS](challenges/202302_SECCON_CTF_2022_Finals/web/maas)|web|3|1|★★★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-maas)|换行符规范化, CSP 绕过| |[light-note](challenges/202302_SECCON_CTF_2022_Finals/web/light-note)|web|0|0|★★★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-light-note)|DOM clobbering, Sanitizer API| |[dark-note](challenges/202302_SECCON_CTF_2022_Finals/web/dark-note)|web|0|0|★★★★|[链接](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-500-dark-note)|基于时间的盲注| ## SECCON CTF 2022 Quals 链接: [CTFtime](https://ctftime.org/event/1764) |题目|类别|解出数 / 726|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[skipinx](challenges/202211_SECCON_CTF_2022_Quals/web/skipinx)|web|102|★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-skipinx)|查询解析器| |[easylfi](challenges/202211_SECCON_CTF_2022_Quals/web/easylfi)|web|62|★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi)|LFI, curl| |[bffcalc](challenges/202211_SECCON_CTF_2022_Quals/web/bffcalc)|web|41|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-bffcalc)|HTTP 请求拆分| |[piyosay](challenges/202211_SECCON_CTF_2022_Quals/web/piyosay)|web|19|★★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay)|Trusted Types, DOMPurify, RegExp| |[denobox](challenges/202211_SECCON_CTF_2022_Quals/web/denobox)|web|1|★★★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-denobox)|prototype pollution, import maps | |[spanote](challenges/202211_SECCON_CTF_2022_Quals/web/spanote)|web|1|★★★★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote)|Chrome, 磁盘缓存, bfcache| |[latexipy](challenges/202211_SECCON_CTF_2022_Quals/misc/latexipy)|misc|8|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy)|pyjail, 魔法注释| |[txtchecker](challenges/202211_SECCON_CTF_2022_Quals/misc/txtchecker)|misc|23|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-txtchecker)|magic 文件, ReDoS| |[noiseccon](challenges/202211_SECCON_CTF_2022_Quals/misc/noiseccon)|misc|22|★★|[链接](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-noiseccon)|柏林噪声| ## SECCON CTF 2021 链接: [CTFtime](https://ctftime.org/event/1458) |题目|类别|解出数 / 506|难度|Writeup|关键词| |:-:|:-:|:-:|:-:|:-:|:-:| |[Sequence as a Service 1](challenges/202112_SECCON_CTF_2021/web/sequence-as-a-service-1)|web|20|★★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#sequence-as-a-service-1)|JavaScript 沙箱| |[Sequence as a Service 2](challenges/202112_SECCON_CTF_2021/web/sequence-as-a-service-2)|web|19|★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#sequence-as-a-service-2)|JavaScript 沙箱| |[Cookie Spinner](challenges/202112_SECCON_CTF_2021/web/cookie-spinner)|web|7|★★★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#cookie-spinner)|DOM clobbering| |[x-note](challenges/202112_SECCON_CTF_2021/web/x-note)|web|3|★★★★|[链接](https://blog.arkark.dev/2021/12/22/seccon/#x-note)|XS-Search|
标签:Chrome, CISA项目, CTFtime, CTF题库, DOMPurify, Firefox, MITM代理, mXSS, Python沙箱逃逸, SECCON, Web安全, 内核模块, 可视化界面, 安全培训, 安全竞赛, 安全资源, 数据可视化, 日志审计, 网络安全, 自定义脚本, 蓝队分析, 请求拦截, 跨站脚本攻击, 逆向工具, 隐私保护