webProeasy
Lab 192 — StockFlow — Broken Authentication via CSRF Token Reuse
hackadvisor
Task: Express.js inventory management platform with staff/admin roles; admin settings contain the flag but staff users get 'Access Denied'. Solution: Discovered legacy admin user creation endpoint in commented-out JavaScript, reused a CSRF token from the profile page to create a new admin account (endpoint lacked authorization check), then logged in as admin to retrieve the flag from /admin/settings.
$ ls tags/ techniques/
sqlitenodejsinformation_disclosureexpressprivilege_escalationcsrfbroken_access_controldecoy_flagadmin_bypasscsrf_token_reuselegacy_endpointcsurf
decoy_flag_evasioncsrf_token_reuse_across_endpointsbroken_access_control_on_admin_endpointlegacy_endpoint_discovery_via_javascript_commentsprivilege_escalation_staff_to_admin
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 153 — FlowDesk — CSRF Account Takeover via Email Change— hackadvisor
- [web][Pro]Lab 72 — WriteFlow — Stored XSS via WYSIWYG Editor Sanitizer Bypass— hackadvisor
- [web][Pro]Lab 291 — HireFlow — Broken Authorization in Premium Feature Endpoints— hackadvisor
- [web][Pro]Lab 198 — PayrollSync — Broken Auth via GraphQL Introspection— hackadvisor
- [web][Pro]DevPulse — CSRF via JSON Content-Type Bypass— hackadvisor