Haxxerenr Posted October 13, 2014 Share Posted October 13, 2014 I'm trying to complete the OWASP Security Shepherd challenges and I'm a bit stuck on the Broken Authentication and Session Management Challenge. The challenge reads: Only administrators of the following sub-application can retrieve the result key. Followed by a button labeled: Administrator only button I fired up Burp Suite and intercepted the following request after clicking the button: Raw Request Cookie: checksum=dXNlclJvbGU9dXNlcg==; JSESSIONID=0275B60FDA258993848E7AF93338D41F; JSESSIONID3="uDnES4i8arE6wd4WAPlU2Q=="; JSESSIONID=4AA028C117D5CC869A83B9A516389A58; _ga=GA1.2.1467780212.1413196735; token=82434034476359385297251271889074344991; JSESSIONID3="" adminDetected=false&returnPassword=false&upgradeUserToAdmin=false I noticed the checksum was base64 encoded and reads userRole=user, so changed it to userRole=admin base64 encoded the string and changed the checksum value. Ofcourse I have tried various true and false combinations in the body. Can someone give me a tip / point me in the right direction? Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.