Server-side security war games: Part 5

“You are not logged in” – I wonder what that means. Normally, websites use cookies to tell whether you’re logged in. Let’s check if that’s the case here.

If you’re using Google Chrome, press CTRL-J and switch to the “Resources” tab. Expand the “Cookies” item, and select the current domain: “natas5.natas…” and lo and behold there is a cookie there. Named loggedin. With value 0. Remember, the client controls what gets sent in the cookies. That’s our attack vector.

I wonder what happens if we change that to a true value, probably 1?

You can’t change cookies here, but I have a browser extension that lets me do that. Or, you can use curl again. Once you make a request with a cookie that claims you’re logged in, you’ll see the password for the next level.

Lessons learned

If you ever have to write a web application where users can be logged in, be careful of problems like this. You need to make sure that the client really is logged in, rather than just claiming they are.