Description
Who doesn't love cookies? Find the best cookie at this web challenge.
Setup
Navigate to the challenge URL and observe the cookie set by the server.
Solution
- Step 1Observe the name cookieWhen you visit the site, it sets a cookie named 'name' with an integer value (starting at 0). The server maps this integer to different items in its database. You need to find which integer value corresponds to the flag entry by iterating through values.
Learn more
HTTP cookies are key-value pairs stored in the browser and sent with every request to the server. The server uses the
Set-Cookieresponse header to set them, and the browser sends them back in theCookierequest header. Here, the cookie value is a plain integer with no signing or encryption -- making it trivially forgeable. - Step 2Brute-force the cookie valueUse curl to send requests with increasing values of the name cookie to /check. When name=18, the server returns a page containing the flag instead of the normal response.# Test a specific value:curl -s -b "name=18" http://<server>/check# Or iterate automatically:for i in $(seq 0 100); do curl -s -b "name=$i" http://<server>/check | grep -q picoCTF && echo "Found at $i: $(curl -s -b "name=$i" http://<server>/check)"; done
Learn more
This is an insecure direct object reference (IDOR)-style vulnerability combined with an unauthenticated enumeration attack. The server stores the flag at a specific ID in its cookie database and retrieves it based solely on the client-supplied cookie value, with no authentication check. An attacker can enumerate all IDs trivially.
The fix is straightforward: never trust client-supplied identifiers alone for authorization. Pair them with server-side session validation -- verify that the authenticated user is allowed to access the object with that ID.
Flag
picoCTF{...}
The server maps integer cookie values to items in a database -- brute-forcing the integer reveals which value corresponds to the flag entry.