June 6, 2026
WEB EXPLOITATION CyLab: Old Sessions
We will look into the “Old Sessions” challenge:
Yanina Paola Quispe Orellana
1 min read
When we access the website, the first screen shown to us is the login page:
So, first we need to register an account on the platform:
Next, we log in to the system using our new credentials :
This is our session dashboard:
While inspecting the comments section, we can notice that the second comment says: "Hey I found a strange page at /sessions"
Following this hint and visiting the route, it show us the following data:
Great, we see that the application exposes the session tokens of others users, including the admin.
This is a case of "Data sensitive exposure" combined with "Broken session management".
Lack of access control: any unauthenticated user can access the /sessions route and view the secret identifier of other people.
Session token exposure: If an attacker grabs one of these tokens, they can perform a "Session hijacking" attack.
Infinitive persistence: The dictionary shows "_permanent: True", this confirms the developer configured the session to never expire.
With this information, we can steal the admin's cookie value and exploit it.
By changing our browser's cookie value like this:
We refresh the page and successfully find the flag:
The challenge is resolved !!