This lab stores the user's password hash in a cookie. The lab also contains an XSS vulnerability in the comment functionality. To solve the lab, obtain Carlos's
stay-logged-in cookie and use it to crack his password. Then, log in as
carlos and delete his account from the "My account" page.
stay-logged-incookie is Base64 encoded.
GETrequest from the victim containing their
Note: The purpose of this lab is to demonstrate the potential of cracking passwords offline. Most likely, this would be done using a tool like hashcat, for example. When testing your clients' websites, we do not recommend submitting hashes of their real passwords in a search engine.