Password brute-force via password change
Task
This lab’s password change functionality makes it vulnerable to brute-force attacks. To solve the lab, use the list of candidate passwords to brute-force Carlos’s account and access his “My account” page.
- Your credentials:
wiener:peter - Victim’s username:
carlos
Attempt
Log in as wiener and send a request to change his password. Upon examining the request I found the username= parameter is used to specify the user whose account is to be changed.
The page will lock you if you enter a wrong password and two matching new passwords, but with two different passwords, it returns Current password incorrect. For the correct password and two different passwords, it returns New passwords do not match. You can abuse this difference between messages.
Send a request to /my-account/change-password to Repeater. Change the username param to carlos, set two different new passwords and crack the current password. In the Intruder result you can see one request has the different length. Preferably use Grep Match, find the response containing “New passwords do not match”.