1. Web Security Academy
  2. Authentication
  3. Other mechanisms
  4. Lab

Lab: Offline password cracking


This lab stores the user's password hash in a cookie. The lab also contains an XSS vulnerability in the comment functionality. To solve the lab, obtain Carlos's stay-logged-in cookie and use it to crack his password. Then, log in as carlos and delete his account from the "My account" page.

  • Your credentials: wiener:peter
  • Victim's username: carlos