From c6391d050de488d8cae647268cadbec370ff7b9f Mon Sep 17 00:00:00 2001 From: tomoron Date: Wed, 9 Apr 2025 14:35:05 +0200 Subject: [PATCH] add readme for weak_cookie_auth and hidden_field_manipulation --- hidden_field_manipulation/README.md | 17 +++++++++++++++++ weak_cookie_auth/README.md | 24 ++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 hidden_field_manipulation/README.md create mode 100644 weak_cookie_auth/README.md diff --git a/hidden_field_manipulation/README.md b/hidden_field_manipulation/README.md new file mode 100644 index 0000000..6e2f7a4 --- /dev/null +++ b/hidden_field_manipulation/README.md @@ -0,0 +1,17 @@ +# Hidden Field Manipulation + +## How We Found It +On the sign-in page, there is a I forgot my password. This page contains just a submit button. +when I open the html of the page, there is a hidden field, this hidden field contains an email. +when we change the email and click submit, we get a flag. + +## Utility of It +- Lets an attacker change internal data (like an email) sent to the server. +- Can lead to unauthorized access, data leaks, or in this case, retrieving a flag. +- Highlights trust in client-side values, which should never be trusted. + +## How Can We Patch It +- Never rely on hidden fields for sensitive logic (e.g., user identity, permissions). +- Always validate input server-side against the authenticated user/session. +- Use server-side state instead of hidden form values when possible. +- If form fields must be used, consider signing or encrypting them (with care). diff --git a/weak_cookie_auth/README.md b/weak_cookie_auth/README.md new file mode 100644 index 0000000..4431965 --- /dev/null +++ b/weak_cookie_auth/README.md @@ -0,0 +1,24 @@ +# Weak auth via cookie + +## How We Found It +On all the pages, if we have no cookies, the website gives us a cookie. the cookie is called `i_am_admin` and has this value : +``` +68934a3e9455fa72420237eb05902327 +``` +That look like a md5 hash. what if I decrypt it. +this is a hash of `false`. +what if I hash `true` and set it as the cookie. +when I do this. on all pages, there is an alert that gives me the flag + +## Utility of It +- Allows an attacker to forge an admin session by reverse-engineering or guessing cookie values. +- No need to log in or brute-force credentials — just manipulate a hash. +- Can lead to privilege escalation, access to admin features, or flag retrieval in CTFs. + +## How Can We Patch It +- Never rely on easily reversible or guessable values (like md5("true")) for auth. +- Use secure session tokens, randomly generated and validated server-side. +- Store roles (like admin/user) in a server-side session — not in a modifiable cookie. +- Avoid using MD5 for any security-related checks; it's outdated and weak. +- Sign cookies with a HMAC or encrypt them if you must store data client-side. +