I was wondering has anyone play around with WebGoat and solve thier “Hijack a session”?
I’m using latest version which you can find at https://github.com/WebGoat/WebGoat/releases/tag/v2023.4
Download the jar file, and run it with java -jar webgoat-2023.4.jar to bring up the lab
I sent the session to repeater and noticed that “hijack_cookie” is predictable. The 1st part is easy where it is incremented by one from 90 to 95, and so on
However, the second part is little bit tricky. I’ve been looking at this for hours and I can’t figure it out yet
Set-Cookie: hijack_cookie=5183292529236277390-1677844963222; Set-Cookie: hijack_cookie=5183292529236277391-1677844963782; Set-Cookie: hijack_cookie=5183292529236277392-1677844966110; Set-Cookie: hijack_cookie=5183292529236277393-1677845094872; Set-Cookie: hijack_cookie=5183292529236277394-1677845115207; Set-Cookie: hijack_cookie=5183292529236277395-1677845755408; Not really sure if it’s feasible to brute force the 2nd part.
Checked the hint and found this, nothing useful as I already know the pattern is predictable, but don’t know how
Hint: Check the ‘hijack_cookie’ cookie value and think about its format.
If any of you have solved this, feel free to share your knowledge on how to solve this. Thank you
submitted by /u/w0lfcat
[link] [comments]