Largely based on https://hackerone.com/reports/2913312 by https://hackerone.com/parrot409?type=user

Installing:

• npm install
• Make sure you have python3 installed with the z3 module (pip3 install -r requirements.txt) -- the exploit code shells out to python3 to predict the next random value

Running:

In parallel, run:

• npm run start-backend (the backend server that will receive the manipulated request)
• npm run start-vulnerable-server (the frontend server that can be tricked into sending a manipulated request)
• npm run run-exploit (the client code that crafts and sends the exploit)

In the stdout of npm run backend, you should see a request with is_admin: true (despite the code in vulnerable-server.js never intending to add an is_admin parameter to the API call)