Haxxerenr

@Rook you can find the same question on /r/netsec Is something wrong with my formatting? Are questions like mine not appreciated here? If you can't help me find the answer could you point me to a forum where someone can?

Really? Nobody who can help me?

I'm trying to complete the OWASP Security Shepherd challenges and I'm a bit stuck on the Broken Authentication and Session Management Challenge. The challenge reads: Only administrators of the following sub-application can retrieve the result key. Followed by a button labeled: Administrator only button I fired up Burp Suite and intercepted the following request after clicking the button: Raw Request Cookie: checksum=dXNlclJvbGU9dXNlcg==; JSESSIONID=0275B60FDA258993848E7AF93338D41F; JSESSIONID3="uDnES4i8arE6wd4WAPlU2Q=="; JSESSIONID=4AA028C117D5CC869A83B9A516389A58; _ga=GA1.2.1467780212.1413196735; token=82434034476359385297251271889074344991; JSESSIONID3="" adminDetected=false&returnPassword=false&upgradeUserToAdmin=false I noticed the checksum was base64 encoded and reads userRole=user, so changed it to userRole=admin base64 encoded the string and changed the checksum value. Ofcourse I have tried various true and false combinations in the body. Can someone give me a tip / point me in the right direction?

Hi guys, Metaploit gives you a great list of Meterpreter shells to use for your pen testing pleasure. However I can't seem to find guidelines about when to use what shell in what situation. In all guides they just mention what payload they use, but never give a reason why. Does someone have a good resource on this matter? Thanks