[Broken Authentication and Session Management Challenge]

@Rook you can find the same question on /r/netsec

Is something wrong with my formatting? Are questions like mine not appreciated here?

If you can't help me find the answer could you point me to a forum where someone can?

[Broken Authentication and Session Management Challenge]

Really? Nobody who can help me?

[Broken Authentication and Session Management Challenge]

I'm trying to complete the OWASP Security Shepherd challenges and I'm a bit stuck on the Broken Authentication and Session Management Challenge.

The challenge reads: Only administrators of the following sub-application can retrieve the result key. Followed by a button labeled: Administrator only button

I fired up Burp Suite and intercepted the following request after clicking the button:

Raw Request

Cookie: checksum=dXNlclJvbGU9dXNlcg==; JSESSIONID=0275B60FDA258993848E7AF93338D41F; JSESSIONID3="uDnES4i8arE6wd4WAPlU2Q=="; JSESSIONID=4AA028C117D5CC869A83B9A516389A58; _ga=GA1.2.1467780212.1413196735; token=82434034476359385297251271889074344991; JSESSIONID3="" adminDetected=false&returnPassword=false&upgradeUserToAdmin=false

I noticed the checksum was base64 encoded and reads userRole=user, so changed it to userRole=admin base64 encoded the string and changed the checksum value.

Ofcourse I have tried various true and false combinations in the body. Can someone give me a tip / point me in the right direction?

[Differences in Meterpreter shells]

Hi guys,

Metaploit gives you a great list of Meterpreter shells to use for your pen testing pleasure. However I can't seem to find guidelines about when to use what shell in what situation. In all guides they just mention what payload they use, but never give a reason why.

Does someone have a good resource on this matter?

Thanks