OWASP top 10 vulnerabilities CTF lesson – Broken Session Management

Spread the love

CTF365 lesson is based upon OWASP top 10 vulnerabilities which is still valid in 2020. The following are the lessons that are provided by CTF365. Let me tell you they are not only top 10, instead the list is of top 11 and please note they are not in any order. You can signup security shepherd using CTF365 account and start learning.

1. Broken Session Management
2. Cross Site Request Forgery (CSRF)
3. Cross Site Scripting (XSS)
4. Failure to Restrict URL Access
5. Insecure Cryptographic Storage
6. Insecure Direct Object References
7. Poor Data Validation
8. Security Misconfiguration
9. SQL Injection (SQLi)
10. Untrusted Input
11. Unvalidated Redirects and Forwards

1. Broken Session Management

The first OWASP is about the Broken Session Management. The short description has been given in the page itself but if you want to read more about it then you can always checkout the official OWASP page where they have described it more. Please click here to go to the link.

Broken Authentication and Session Management

The task to complete the Broken Authentication and Session Management lesson is to do the following:

This lesson implements bad session management. Investigate the following function to see if you trick the server into thinking you have already completed this lesson to retrieve the result key.

Fire up the burpsuite and send the request by clicking on “Complete This Lesson”. If you do not know how to configure burp with then click on this post where I have briefly described how to configure google chrome with burpsuite.

Broken Authentication and Session Management burpsuite

See the value lessonNotComplete, lets change it to lessonComplete and send

Broken Authentication and Session Management bypass

Nice! we got the key. Paste it and complete the current lesson.

complete Broken Authentication and Session Management lesson

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *