> For the complete documentation index, see [llms.txt](https://kruknight.gitbook.io/daemon-of-hacking/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kruknight.gitbook.io/daemon-of-hacking/writeups/portswigger-labs/authentication/password-brute-force-via-password-change.md). # Password brute-force via password change ## Lab Description

## Walkthrough ### **Step 1: Exploring the Password Change Functionality** After logging in with the provided credentials (`wiener:peter`), the first step is to explore the application's behavior. I navigate to the **Change Password** section under **My Account**. * I observe that the form includes fields for the current password, new password, and confirmation of the new password.

**Step 2: Testing Validation** To understand how the application handles input errors, I perform a series of tests: 1. **Mismatched New Passwords** * Enter a correct **current password** but intentionally input mismatched new passwords. * **Result:** The application throws an error: *"New passwords do not match."*

2. **Incorrect Current Password** * Enter an incorrect **current password** while inputting valid new passwords. * **Result:** The application throws an error: *"Current password is incorrect."*

From these tests, I notice two distinct behaviors: * When the **current password** is valid but the **new passwords** mismatch, the error is about mismatched new passwords. * When the **current password** is invalid, the error explicitly says it is incorrect. This differentiation can be exploited in a **brute-force attack**: * We attempt various passwords as the **current password** while using intentionally mismatched new passwords. * A response indicating mismatched new passwords implies the **current password** was correct. ### **Step 3: Setting Up the Brute-Force Attack** To brute-force the **current password**, I: 1. Send a sample password change request to Burp Suite. 2. Replace the username field with `carlos` to target their account. 3. Mark the **current password** as a payload position for the attack. 4. Use **two mismatched new passwords** to generate a distinguishable response.

### **Step 4: Analyzing Results** * After the attack completes, filter the responses by **content length**. * Identify the response with a differant length * The associated payload reveals the **correct current password** for Carlos's account.

### **Step 5: Verification** Using the retrieved password (`qwerty`), I log in to Carlos's account and confirm access to the **My Account** page.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kruknight.gitbook.io/daemon-of-hacking/writeups/portswigger-labs/authentication/password-brute-force-via-password-change.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.