EN | ZH Because the scope of the CTF's questions is actually quite broad, there is currently no clear definition of what to say. However, in terms of current game questions, it is mainly based on common Web network attack and defense, RE reverse engineering, Pwn binary exploit, Crypto password attack, Mobile. Mobile Security and Misc Security Miscellaneous are used for categorization.

  • Web - Network Attack and Defense

It mainly introduces common vulnerabilities in Web security, such as SQL injection, XSS, CSRF, file inclusion, file uploading, code auditing, PHP weak type, etc., common problem types and problem solving ideas in Web security, and provides some commonly used tools. .

  • Reverse Engineering - Reverse Engineering

It mainly introduces the common problem types, tool platforms and problem-solving ideas in reverse engineering. The advanced part introduces the common software protection, decompilation, anti-debugging and shelling technology in reverse engineering.

  • Pwn - Binary exploits

The Pwn topic mainly examines the exploitation and utilization of binary vulnerabilities, and requires a certain understanding of the underlying computer operating system. In the CTF competition, the PWN topic mainly appeared on the Linux platform.

  • Crypto - Password Attack

It mainly includes two parts: classical cryptography and modern cryptography. Classical cryptography has strong interest and variety, modern cryptography has high security, and requires high understanding of algorithms.

  • Mobile - Mobile Security

It mainly introduces the common tools and main types of problems in Android reverse. Android reverse often requires a certain amount of Android development knowledge. iOS reverse problems are less common in CTF competitions, so do not introduce too much.

  • Misc - Security Miscellaneous

According to Zhuge Jianwei's "Online Ghost: The World's No. 1 Hacker Mitnick" and some typical MISC topics, the content includes information gathering, coding analysis, forensic analysis, and steganalysis.

National University Student Information Security Competition - Contest Content

In 2016, the National University Student Information Security Competition began to set up an innovative practical skill competition, which was based on the traditional CTF system. In the "2016 National University Student Information Security Competition Entry Guide", the competition content given by the organizers is relatively comprehensive and worthy of reference.

  1. System security. Involves operating system and web system security, including web site multi-language source code audit analysis (especially PHP), database management and SQL operations, web vulnerability mining and utilization (such as SQL injection and XSS), server empowerment, writing code patches, and fixing security vulnerabilities such as website vulnerabilities.
  2. Software reverse. A variety of programming techniques involving the Windows/Linux/Android platform require reverse analysis of source and binary files using common tools to master Android mobile apps APK Reverse analysis of files, mastering encryption and decryption, kernel programming, algorithms, anti-debugging and code obfuscation techniques.
  3. Vulnerability mining and utilization. Master languages such as C/C++/Python/PHP/Java/Ruby/Assemble, explore Windows/Linux (x86/x86_64 platform) binary bugs, master buffer overflows and format string attacks, and write and utilize shellcode.
  4. Principles and applications of cryptography. Master classical cryptography and modern cryptography, analyze cryptographic algorithms and protocols, calculate keys and perform encryption and decryption operations.
  5. Other content. Including information gathering capabilities, programming capabilities, mobile security, cloud computing security, trusted computing, autonomous controllable, steganography and information hiding, Forensics technology and file recovery skills, computer network foundation and analysis of network traffic ability.