I explained the vulnerabilities in the Bakery website to my friend, but he disregarded them :(. I explained to him how severe these security isses are, but he didn't believe me. To prove me wrong, he made an "admin" page and hid a flag in there.
- Use what you learned in Get a Py 1 to access the secret key. What can a Flask secret key do?
- What does a flask secret key have to do with session cookies?
Look at the writeup here.