Manipulate session identifiers to escalate privileges and learn why sessions must expire and never be exposed to unauthorized users
Press enter or click to view image in full size
This writeup gives a step-by-step explanation of the picoCTF challenge “Old Sessions”. The best learning experience comes from working through the challenge alone, but read on if you’re stuck or are curious about other approaches.
picoCTF uses Capture The Flag (CTF) security challenges to teach security fundamentals. The challenges cover various security categories (web exploitation, cryptography, forensics, etc) but they all have the common goal of finding a flag in the format picoCTF{unique-text-string-here}. Some challenges are easy and others deviously difficult, but they are all great for learning security skills.
About the “Old Sessions” Challenge
This is a beginner challenge, and it can be solved by anyone with a web browser and some technical skills that will be explained in the writeup.
- Name: Old Sessions
- Category: Web Exploitation
- Difficulty: Easy
- Description: Proper session timeout controls are critical for securing user accounts. If a user logs in on a public or shared computer but doesn’t explicitly log out (instead simply…