CopyPasta

Today our hint is BAC. Whenever I see this, my default is to register two users: shadow:shadowforge and shadow2:shadowforge. I do this for a very simple reason. If I control 2 users, I can try to mess with those two users without risking that data of other users is accidentally overwritten or even worse deleted. I will always try to navigate horizontally before attempting attacking higher privileged users.

After clicking around creating, editing, and liking stuff, I figured my proxy captured enough traffic to start. I opened up Burp and start looking around.

Because I had two users, I could easily figure out which ID some snippets had. With that knowledge I tried to update an item, but with my second user's JWT. Unfortunately the security implementation was good on this endpoint.

Not to worry, loads of things to try. I used the same attack, but I switched the HTTP verb to DELETE . User can delete snippets owned by them, so maybe I could delete a snippet from my first user, using the JWT from my second one.

The request went through, and I was rewarded with the flag 🇧🇪