Hardcoded Secrets in Dedos-web 1.0 Allow Privilege Escalation via Session Cookie Manipulation

Hardcoded Secrets in Dedos-web 1.0 Allow Privilege Escalation via Session Cookie Manipulation

CVE-2018-10813 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this could lead to privilege escalation.

Learn more about our Web App Pen Testing.