Authentication

Check for Cookie changed to admin
Check for Cookie kept in hash (md4,sha)

String comparison Method Problems

When you create a user, the application will check programmatically that the user does not exist by comparing the username provided with the existing users.

When you log in, the application will check that your username and password are correct, and then it will save your username in your session.

Finally, every time you access the application, the application will retrieve your user's details based on the username provided in the session. The trick here comes from the fact that the comparison when you create a user is done programmatically (i.e.: in Ruby) but when the user's details get retrieved, the comparison is done by the database. By default, MySQL (with the type VARCHAR) will perform a case-insensitive comparison: "admin" and "Admin" are the same value.

Using this information, you should be able to create a user that will be identified as admin.

To remediate the previous issue, the developer decided to use a case-sensitive comparison during user creation.

This check can also be bypassed based on the way MySQL performs string comparison: MySQL ignores trailing spaces (i.e.: getsystem and getsystem[space] are equals). Using the same method as above, you should be able to pretend to be logged in as the user admin.

Redirection

Check for redirection 302 Found during loading of the site.

PreviousAPI From PEN200 NextAuthorization

Last updated 3 years ago

Cookie Based Authentication

String comparison Method Problems

Redirection