The session ID generated when logging in as a guest and the session ID generated when logging in as admin would be different, so I'm wondering why even the admin password is changed with the cookie value generated when logging in with guset.

I think the core of this problem is changing the bill number using a Selenium session logged in with an administrator account. Is there evidence in the problem code that the session you added with Selenium is an administrator session? No matter where I look in the code, I can't find the part where I log in to the administrator account with Selenium.

<img src="/change_password?pw=1234" /> <img src= “/change_password? pw=admin"> The code above is the code that changed pw when I put it on the flag page The code below is the code where pw did not change when added to the flag page. I think the difference between the two codes is the presence or absence of/at the end. Explain the two codes

What I understood is csrf The attacker enters the <img src="/change_password?...">same phrase in the same place as the 'free bulletin board' The password changes as soon as the user clicks on the post The attacker waits for the admin password to change and then seizes the administrator account.

@app .route (“/vuln”) def vuln (): param = request.args.get (“param”, “”) .lower () xss_filter = ["frame”, “script”, “on”] for _ in xss_filter: param = param.replace (_, “*”)

In the [csrf-2] (https://dreamhack.io/wargame/challenges/269/) problem, I understood that params are sent to the vuln page through the check_csrf function through the flag page. I wonder why the param passed in this way doesn't appear on the Vuln page at the same time even though it is a return param. check

I'm sending a POST from /flag http://127.0.0.1:8000/vuln? param= ... If you make the same transmission as @app .route (“/flag”, methods= ["GET”, “POST”]) def flag (): if request.method == “GET”: return render_template (”

change_password or other code says that username and pw are the same Even on the home page, it says username == “admin” I changed the username to admin using the img tag, but why can't I do it? It's going to be pw

<img src="http://localhost:8000/change_password?pw=1234&sessionid=document.cookie"/>I said, the problem wasn't solved <img src="./change_password?pw=1234&sessionid=document.cookie"/>I said, “The problem wasn't solved,” and it said it was solved. The code above

Problem solved. What I'm curious about is change_password a command that has been entered since the page was created? Or is it a specified function? If it's entered from the beginning, I need to find that command to solve the problem without explanation. How can I find it? I have a question because I can't find a code source or the like.