Is this token random, encoded or encrypted? Challenge
Hey guys, im doing a challenge and i got to the 5th one on the website, but can get through this one. Here’s what i know:
-
Progress cookie, used like a session, to keep your progress of the challenges.
-
Seems random
-
Each dir of website.com/c/dir is unique for each progress cookie. So i cant access another user dir(challenge) if i dont have his respective cookie. It just show not found.
-
The url has two valid params: quantity and key. The quantity has a limit of 100, after that shows a error that you crossed the limit and the limit is 100. The number is related to the quantity of tokens generated.
-
The key param is for submitting the flag, any input that’s not the flag show a error div in the html saying error.
-
Tried to inject sql and js code with no success in the params.
-
The two hints are: What data is being sent to the server when you press the generate token button. - Its a get request, that sends the progress cookie and the quantity param in the url
-
Think about if the tokens could be random, encoded or encrypted. There ways to test and verify each.
Here’s two generates tokens:
}53584505165339160982b51434d75874753c59236b53229e75a89699378959524395392f13e17871272878502926035c25{62:51G99A13L34F79
}34549590165305136901b87459d59894714c08245b71204e53a84640361963597316343f34e54843298827512919094c47{95:96G65A16L34F90
Already tried to place them in the progress cookie and create usual sessionid tokens cookies to place them.
Any help is appreciated, thanks!!
EDIT: The key param seems to overrule the quantity param. So if i enter the two params, no matter the order, the invalid token error shows in the html.
[link] [comments]
from hacking: security in practice https://ift.tt/1thQ69R
Comments
Post a Comment