Great teaching sir, i learnt new techniques today sir, but I struggle to find the version softwar names and there vulnerability in every ctf's so any suggestions sir
Just keep going bro, you'll learn something new each time 😊 Look for any keywords you see in a challenge e.g. in this case "Flask" and "Session" popped in the error message, then search around (hacktricks is usually a good start). Don't worry though there are many, many challenges I struggle with 😅 If you never struggle, you never learn 😉
Thanks! Ermm I wouldn't of thought so, presumably would show you the data like jwt.io but nothing more. You could just import the flask-unsign library into a python script instead though 😊
![Stored XSS and IDOR with Predictable HMAC Generation - "knock-knock" Web Challenge [DiceCTF 2022]](http://i.ytimg.com/vi/Og5_5tEg6M0/mqdefault.jpg)
![Stored XSS and IDOR with Predictable HMAC Generation - "knock-knock" Web Challenge [DiceCTF 2022]](/img/tr.png)
love your videos so much, keep going
thanks mate 🥰
Great teaching sir, i learnt new techniques today sir, but I struggle to find the version softwar names and there vulnerability in every ctf's so any suggestions sir
Just keep going bro, you'll learn something new each time 😊 Look for any keywords you see in a challenge e.g. in this case "Flask" and "Session" popped in the error message, then search around (hacktricks is usually a good start). Don't worry though there are many, many challenges I struggle with 😅 If you never struggle, you never learn 😉
@@_CryptoCat thanks a lot sir
Beginner here, i was doing the exact same way but whenever i refreshed the page, it always shows me Access denied
Ok so apparently it didnt work on microsoft edge but worked on opera browser
Awww wtf 😆
Btw thank you so much for the writeup
@@abdullahshafique3079 np mate, thanks for watching! 🥰
Is there any other way to find that secret key?
Apart from brute force, maybe you can leak it through some errors or find hardcoded somewhere.. If you have another vuln, e.g. LFI, that would help!
@@_CryptoCat I tried that template injection that {{}} thing but still didn't work maybe there is another way to solve that challenge.
@@_CryptoCat nice video btw... make video on some other vulnerability of flask waiting for that
Great video, but can you do it with python jwt library?
Thanks! Ermm I wouldn't of thought so, presumably would show you the data like jwt.io but nothing more. You could just import the flask-unsign library into a python script instead though 😊