Broken Authentication — Predictable Session Token

Medium Identification and Authentication Failures · A07:2021 25 min

Flag submissions require login via tc_sso. Reading instructions does not.

Broken Authentication — Predictable Session Token

Scenario

AcmePortal stores the active session as a base64-encoded string of the form username:timestamp in localStorage (key: acme_session). No HMAC. No server-side validation. Whoever can edit localStorage controls the session.

Steps

Click Login in the right pane (any username/password works — auth boundary isn't the lesson here). You'll be logged in as rverma (a regular user).
Open browser DevTools → Application → Local Storage → lab.techclick.in. Find the acme_session key.
Decode the value (base64). It should look like rverma:1716.... The format is <username>:<unix-timestamp>.
Re-encode a new session for the user acme_admin using the same format. (Pick any recent timestamp.)
Paste the new base64 string back into the acme_session localStorage value. Reload the page.
The page should now show the admin dashboard with the flag.

Why this is broken

No HMAC/signature → tokens are trivially forgeable.
Predictable format → no entropy, attackers don't need to break crypto.
Stored in localStorage → JS-accessible, so any XSS exfiltrates and forges.
No server-side check on the token's claimed identity.

The flag

TC{broken_auth_…} appears on the admin dashboard after you forge the session.

Hints

Hint 1 (−10 pts)

Open DevTools. Application tab → Local Storage. Look at the acme_session value. It's base64 of username:timestamp.

Hint 2 (−10 pts)

Decode rverma:<ts> → re-encode acme_admin:<ts> → paste back. Reload. btoa('acme_admin:1716000000') = YWNtZV9hZG1pbjoxNzE2MDAwMDAw

Hint 3 (−10 pts)

Full flag: TC{broken_auth_forged_unsigned_session_in_localstorage}

Lab environment · sandboxed iframe · auto-resets every 60 min