Vulnerability A2 Broken Authentication and Session Management Description:



For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request / response by intercepting the data between the browser and the web server.

Since HTTP protocol is stateless, the main method of session management is via the Cookie HTTP header. If our goal is session impersonation, like changing from user John Doe to user Mary Jane undoubtedly it will encompass session hijacking.

We can see the Cookies associated with our session for the domain by Right-Click -> Inspect Element -> Resources -> Cookies -> As expected we see 2 Cookies, one PHPSESSID that identifies us as a CTF competing user and “user” that possibly identifies us within this level as “John Doe”.


Let’s refresh the page and capture the request in Burp. There we can use Burp’s Decoder to see how are sessions managed by this application.


As the screenshot shows, select the text you would want to use in the Decoder and select “Send to Decoder”. The Decoder tab will flash, navigate there and you will see the following.


Now we can Encode/Decode this piece of text using different methods as URL, Base64, HEX, HTML Entity and so on… Since this is being URL Encoded by the browser, we need to first URL Decode it. Select “Decode as..” -> “URL”. You will see the text transform to “Sk9ITitET0U=”.

One easy giveaway for encodings is the “=” or “==” pad at the end of the string, it usually is using base64 encoding. Base64 encoding just as URL encoding is used to exchange non-printable characters between the exchanging parties.

Let’s select “Decode as..” -> “Base64”, we will see it decode without any issues to the string “JOHN+DOE”. Let’s change that to “MARY+JANE” and base64 encode it, we should get the following string “TUFSWStKQU5F”.


Now we can go back to our intercepted request in the Proxy tab and change the session’s cookie with the newly produced base64 string.


All that’s left to do is press the “Forward” button to send the request to the web server. Going back to our browser, it looks like we successfully highjacked Mary Jane’s session.