Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V4 - Access Control

Admin panel takeover

POC

  • Intercept the login request in admin page with Burp for the user admin
  • Send the request to Burp Intruder
  • Select Password parameter values to attack
  • Paste the payload from common passwords in Seclists
  • Run the attack
  • Observe successful attack results with 200 or 301 response code
  • Use the password to login to the admin panel

Impact

High

Likelihood

High