Session Swap
Ridgeline Hotels' new staff portal trusts the browser to tell the truth about who's logged in. Not all employees are equal — and not all cookies are signed.
The Scenario
Ridgeline Hotels rolled out a brand-new internal portal for front-desk agents, housekeeping leads and assistant managers. Engineering shipped it sprint-end. The role-based access control lives entirely in a cookie the browser is happy to edit.
Challenge Intel
Synopsis
A first lesson in trusting the client too much. The user's role is in a plaintext, unsigned cookie — flip it and the admin view is yours.
What It Is
Ridgeline's portal sets a `role=user` cookie after login. The /admin route checks the cookie value directly, with no signature or server-side session lookup. Players edit the cookie to `role=admin` in dev tools or with curl, reload /admin, and find the flag in an Internal Memo card. The lesson is that anything the browser controls, the user controls — authorisation must be verified on the server.
Who It's For
Brand-new web hackers — anyone who has never tampered with a cookie before.
Skills You'll Practice
- Editing cookie values in browser dev tools
- Reasoning about server-side trust vs client-side state
- Recognising unsigned vs signed (HMAC) cookies
- Using curl with the --cookie flag
What You'll Gain
- First confident cookie tampering solve
- Intuition for why session tokens must be cryptographically signed
- An instinct to check what cookies a site actually enforces
- Vocabulary for talking about privilege escalation via session manipulation