Cookie-Manipulation

The app tracks clicks with an integer cookie. Skip the clicking by setting ‘cookies’ to 10000000 directly and request the page — the server trusts the cookie value and returns the flag.

The session cookie is a URL-encoded base64 of a JSON string like ‘id-role-username’. Decode it, change the role to 0 and username to admin, re-encode, and access the admin page.

The server reads a base64-encoded JSON cookie containing an ID field and passes it unsanitised into a SQL query. Inject a UNION SELECT payload inside the JSON, re-encode as base64, and set the forged cookie to extract the flag in three phases.