DOJO CHALLENGE #21 Winners!
ID: f266d51a-d902-5aa6-89ea-c458aa09048e
STIX ID: report--f266d51a-d902-5aa6-89ea-c458aa09048e
Feed Name: YesWeHack Blog | Cybersecurity Insights and Bug Bounty Trends| RSS Feed
This write-up documents an improper access control SQL-logic vulnerability (CWE-284, CVSSv3 8.6) in a challenge web application that allows an attacker to become the sole administrator by inserting a user with id=0, bypassing username filters via case differences, and supplying a hex-encoded password matching the admin pattern; the report contains the vulnerable SQL, a proof-of-concept (id:0, username: ADMIN, passwd: 464c41477b466c6f637a69697d), exploitation steps, and remediation advice (strict admin id checks, default role assignment, proper username normalization, and avoiding LIKE for password checks).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
