mirror of
https://github.com/tmoron/darkly.git
synced 2025-09-27 20:58:35 +02:00
add readme for weak_cookie_auth and hidden_field_manipulation
This commit is contained in:
17
hidden_field_manipulation/README.md
Normal file
17
hidden_field_manipulation/README.md
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# Hidden Field Manipulation
|
||||||
|
|
||||||
|
## How We Found It
|
||||||
|
On the sign-in page, there is a I forgot my password. This page contains just a submit button.
|
||||||
|
when I open the html of the page, there is a hidden field, this hidden field contains an email.
|
||||||
|
when we change the email and click submit, we get a flag.
|
||||||
|
|
||||||
|
## Utility of It
|
||||||
|
- Lets an attacker change internal data (like an email) sent to the server.
|
||||||
|
- Can lead to unauthorized access, data leaks, or in this case, retrieving a flag.
|
||||||
|
- Highlights trust in client-side values, which should never be trusted.
|
||||||
|
|
||||||
|
## How Can We Patch It
|
||||||
|
- Never rely on hidden fields for sensitive logic (e.g., user identity, permissions).
|
||||||
|
- Always validate input server-side against the authenticated user/session.
|
||||||
|
- Use server-side state instead of hidden form values when possible.
|
||||||
|
- If form fields must be used, consider signing or encrypting them (with care).
|
||||||
24
weak_cookie_auth/README.md
Normal file
24
weak_cookie_auth/README.md
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# Weak auth via cookie
|
||||||
|
|
||||||
|
## How We Found It
|
||||||
|
On all the pages, if we have no cookies, the website gives us a cookie. the cookie is called `i_am_admin` and has this value :
|
||||||
|
```
|
||||||
|
68934a3e9455fa72420237eb05902327
|
||||||
|
```
|
||||||
|
That look like a md5 hash. what if I decrypt it.
|
||||||
|
this is a hash of `false`.
|
||||||
|
what if I hash `true` and set it as the cookie.
|
||||||
|
when I do this. on all pages, there is an alert that gives me the flag
|
||||||
|
|
||||||
|
## Utility of It
|
||||||
|
- Allows an attacker to forge an admin session by reverse-engineering or guessing cookie values.
|
||||||
|
- No need to log in or brute-force credentials — just manipulate a hash.
|
||||||
|
- Can lead to privilege escalation, access to admin features, or flag retrieval in CTFs.
|
||||||
|
|
||||||
|
## How Can We Patch It
|
||||||
|
- Never rely on easily reversible or guessable values (like md5("true")) for auth.
|
||||||
|
- Use secure session tokens, randomly generated and validated server-side.
|
||||||
|
- Store roles (like admin/user) in a server-side session — not in a modifiable cookie.
|
||||||
|
- Avoid using MD5 for any security-related checks; it's outdated and weak.
|
||||||
|
- Sign cookies with a HMAC or encrypt them if you must store data client-side.
|
||||||
|
|
||||||
Reference in New Issue
Block a user