← All Challenges
Challenge 22 of 66

Session Hijacker

🟡 Medium Auth +75 XP

The app does not regenerate session IDs after login. Fix a known session ID, trick the admin into using it, then hijack their session.

Session Hijacker // sandbox
Set a session cookie before the victim logs in. The session keeps the same ID after authentication.

🏆 Challenge Complete!

+75 XP earned
Next Challenge →