Lab: Brute-forcing a stay-logged-in cookie
This lab allows users to stay logged in even after they close their browser session. The cookie used to provide this functionality is vulnerable to brute-forcing.
To solve the lab, brute-force Carlos's cookie to gain access to his "My account" page.
- Candidate passwords
With Burp running, log in to your own account with the "Stay logged in" option selected. Notice that this sets a
stay-logged-incookie, which appears to be Base64 encoded. Highlight the cookie value, right-click it, and select "Send to Decoder".
In Burp Decoder, select "Decode as" > "Base64". The result will be
wiener:51dc30ddc473d43a6011e9ebba6ca770. Observe the length and character set of this string and notice that it could be an MD5 hash. Given that the plaintext is your username, you can make an educated guess that this might be a hash of your password. Hash your password using MD5 to confirm that this is the case. We now know that the cookie is constructed as follows:
- Log out of your account.
GET /request to Burp Intruder.
In Burp Intruder, add a payload position to the
stay-logged-incookie and add your password as a single payload.
Under "Payload processing", add the following rules in order. These rules will be applied sequentially to each payload before the request is submitted.
On the "Options" tab, add a grep match rule to flag any responses containing the words
My accountand start the attack.
Notice that the response contains
My account. This confirms that your payload processing rules work as expected and constructed a valid cookie.
Repeat this attack but this time use the username
carlosin the "Add prefix" rule and use the list of passwords as the payload set instead of your own password. Remember to add a grep match rule for
Notice that only one request returned a response containing
My account. Load this response in your browser.
- Click "My account" to solve the lab.