Note: This was part of an overall effort to complete PortSwigger’s Web Security Academy without Burp Suite.

Suppose you’re conducting a security audit on an application that employs session cookies encoded with URL and Base64. Here’s what you can do:

1. Log in to the application using your credentials. Observe that the GET request for the / endpoint includes a session cookie encoded with URL and Base64. Copy this request and open it in the OWASP ZAP Manual Request Editor. Also, highlight the value of the session cookie and right-click to open the context menu, then choose “Encode/Decode/Hash…”.

2. URL-decode the value of the session cookie.

3. Base64-decode the result obtained from step 2.

4. Note that the admin attribute has a value of b:0, which represents the boolean value false. Change this to b:1.

5. Encode the updated session cookie value as follows:

6. Then, URL-encode the result from step 5.

7. In the request editor, replace this:

Set-Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d

with this:

Set-Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7Yjox%0AO30%3D

8. Send the modified request to the server.

9. You’ll see the link required to delete Carlos (/admin/delete?username=carlos). Use this link to delete his account.

10. Finally, resend the modified request to the server to carry out the deletion.