If you’re using Google Chrome, press CTRL-J and switch to the “Resources” tab. Expand the “Cookies” item, and select the current domain: “natas5.natas…” and lo and behold there is a cookie there. Named
loggedin. With value
0. Remember, the client controls what gets sent in the cookies. That’s our attack vector.
I wonder what happens if we change that to a true value, probably
You can’t change cookies here, but I have a browser extension that lets me do that. Or, you can use curl again. Once you make a request with a cookie that claims you’re logged in, you’ll see the password for the next level.
If you ever have to write a web application where users can be logged in, be careful of problems like this. You need to make sure that the client really is logged in, rather than just claiming they are.
Posted: Jun 21, 2013