webPromedium

DeskFlow — Session Fixation via Support Ticket URL

hackadvisor

Task: Express.js support ticket platform where admin bot visits reference URLs; connect.sid accepts ?sid= query parameter and session ID doesn't rotate after login. Solution: Session fixation — submit ticket with reference_url pointing to http://localhost:8080/login?sid=ATTACKER_SID, admin bot authenticates with that SID, then reuse it to access /admin/dashboard.

$ ls tags/ techniques/

nodejs session_fixation nginx express privilege_escalation admin_bot cookie localhost support_ticket connect_sid

session_fixation_via_query_parametersession_id_no_rotationadmin_bot_url_visitlocalhost_internal_accessarbitrary_session_id_injection

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 3 — DeskFlow — SQL Injection in Ticket View— hackadvisor
[web][Pro]Lab 72 — WriteFlow — Stored XSS via WYSIWYG Editor Sanitizer Bypass— hackadvisor
[web][Pro]Lab 375 — PageFlow — Web Cache Deception via Path Normalization— hackadvisor
[web][Pro]Lab 153 — FlowDesk — CSRF Account Takeover via Email Change— hackadvisor
[web][Pro]MetricFlow — DOM XSS via Prototype Pollution Gadget— hackadvisor