Jump to content

Broken Authentication and Session Management Challenge


Recommended Posts

I'm trying to complete the OWASP Security Shepherd challenges and I'm a bit stuck on the Broken Authentication and Session Management Challenge.

The challenge reads: Only administrators of the following sub-application can retrieve the result key. Followed by a button labeled: Administrator only button

I fired up Burp Suite and intercepted the following request after clicking the button:

Raw Request

Cookie: checksum=dXNlclJvbGU9dXNlcg==; JSESSIONID=0275B60FDA258993848E7AF93338D41F; JSESSIONID3="uDnES4i8arE6wd4WAPlU2Q=="; JSESSIONID=4AA028C117D5CC869A83B9A516389A58; _ga=GA1.2.1467780212.1413196735; token=82434034476359385297251271889074344991; JSESSIONID3="" adminDetected=false&returnPassword=false&upgradeUserToAdmin=false

I noticed the checksum was base64 encoded and reads userRole=user, so changed it to userRole=admin base64 encoded the string and changed the checksum value.

Ofcourse I have tried various true and false combinations in the body. Can someone give me a tip / point me in the right direction?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...