Description: It seems you were automatically logged in as John Doe. Try to find a way to be logged in as the user Mary Jane in order to see her profile.
Vulnerability: OWASP A2 Broken Authentication and Session Management
You need to modify the user cookie
This should be easy, my goal just to change the user John Doe, to Mary Jane, this usually we play in the cookie in the HTTP header. Ok let’s start burp to see what’s going on. Don’t forget to configure your burp before start to intercept and using repeater function.
GET /ctf2/exercises/ex9.php HTTP/1.1 Host: ctf.infosecinstitute.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: _ga=GA1.2.2097500748.1426146732; visitor_id12882=197992830; __distillery=v20150227_3d92622f-8940-44b8-8c2e-fbfba9e66052; __utma=192755314.2097500748.1426146732.1427136730.1427302672.2; __utmz=192755314.1427136730.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9okprgbh057f1bg5jqjal83sq3; user=Sk9ITitET0U%3D Connection: keep-alive
As you can see the HTTP header above, there is a “user=Sk9ITitET0U%3D“, “%3D” is a url encoded, the decode char is “=” so “Sk9ITitET0U=” must be a base64, let’s try decode the string to text using online tools and the result it JOHN+DOE, as I say this should be easy, just encode MARY+JANE (TUFSWStKQU5F) using the same online tools to base64 then replace the user John Doe base64 to Mary Jane base64 using burp suite to send to the server and I pass level 9.
So how about directly the web, I using Temper Data Add-on to change the cookie user.
Resources and Tools:
1. Configuring your Browser to work with Burp – https://support.portswigger.net/customer/portal/articles/1783055-Installing_Configuring%20your%20Browser.html
2. Burp Suite
3. Temper Data Add-on – https://addons.mozilla.org/en-us/firefox/addon/tamper-data/
4. Base64 Online Tools – https://paulschou.com/tools/xlate/