Haxxerenr Posted October 13, 2014 Share Posted October 13, 2014 I'm trying to complete the OWASP Security Shepherd challenges and I'm a bit stuck on the Broken Authentication and Session Management Challenge. The challenge reads: Only administrators of the following sub-application can retrieve the result key. Followed by a button labeled: Administrator only button I fired up Burp Suite and intercepted the following request after clicking the button: Raw Request Cookie: checksum=dXNlclJvbGU9dXNlcg==; JSESSIONID=0275B60FDA258993848E7AF93338D41F; JSESSIONID3="uDnES4i8arE6wd4WAPlU2Q=="; JSESSIONID=4AA028C117D5CC869A83B9A516389A58; _ga=GA1.2.1467780212.1413196735; token=82434034476359385297251271889074344991; JSESSIONID3="" adminDetected=false&returnPassword=false&upgradeUserToAdmin=false I noticed the checksum was base64 encoded and reads userRole=user, so changed it to userRole=admin base64 encoded the string and changed the checksum value. Ofcourse I have tried various true and false combinations in the body. Can someone give me a tip / point me in the right direction? Quote Link to comment Share on other sites More sharing options...
Haxxerenr Posted October 14, 2014 Author Share Posted October 14, 2014 Really? Nobody who can help me? Quote Link to comment Share on other sites More sharing options...
cooper Posted October 14, 2014 Share Posted October 14, 2014 x Quote Link to comment Share on other sites More sharing options...
Haxxerenr Posted October 15, 2014 Author Share Posted October 15, 2014 @Rook you can find the same question on /r/netsec Is something wrong with my formatting? Are questions like mine not appreciated here? If you can't help me find the answer could you point me to a forum where someone can? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.