In this lab we need to brute force logged in cookie which is the combination of username and MD5 hash of password.
When you visit the lab and click on My account, you will see the login prompt. I will first use the test credentials provided in the lab. Also don’t forget to check the Stay logged in check box.
If you observe we have couple of cookies stay-logged-in and session. Let’s check this with sequencer first. I first asked burp suite to analyze the session cookie.
The summary says the overall quality is good.
Now let’s do the same for stay-logged-in cookie. The Summary shows the randomness is poor.
Let’s look at the cookie now. First I removed the seesion cookie from the request to test how application behaves. It behaves same no change.
Sent the cookie to the decoder and decoded it as bese64. It shows username and some hash value.
The hash looks like MD5, calculate the hash of the password string. It looks the same as that of above hash.
This confirms the stay-logged-in cookie is nothing but the base64 encoded (username: md5_hash(password)). Now we need to brute force the hash with some processing.
base64_encode(carlso:MD5_hash(password))
Send the request to the intruder and select the stay-logged-in cookie.Also change the id=carlos
Now in payloads section, paste the password list provided in lab.Now in payload processing, need to create a payload processing rule in following order.
- Hash: MD5
- Add Prefix: carlos:
- Base64-encode.
Start the attack now.Arrange the result as per Status Code look for 200 OK response.
This issue arise due to:
- Poor entropy of the cookie, the cookie is combination of username MD5 hash of password which is not good. Also if we remove the session token it don’t change the behavior of the application.
