search

Password brute-force via password change

hashtag
Lab Description

hashtag
Walkthrough

hashtag
Step 1: Exploring the Password Change Functionality

After logging in with the provided credentials (wiener:peter), the first step is to explore the application's behavior. I navigate to the Change Password section under My Account.

  • I observe that the form includes fields for the current password, new password, and confirmation of the new password.

Step 2: Testing Validation

To understand how the application handles input errors, I perform a series of tests:

  1. Mismatched New Passwords

    • Enter a correct current password but intentionally input mismatched new passwords.

    • Result: The application throws an error: "New passwords do not match."

  1. Incorrect Current Password

  • Enter an incorrect current password while inputting valid new passwords.

  • Result: The application throws an error: "Current password is incorrect."

From these tests, I notice two distinct behaviors:

  • When the current password is valid but the new passwords mismatch, the error is about mismatched new passwords.

  • When the current password is invalid, the error explicitly says it is incorrect.

This differentiation can be exploited in a brute-force attack:

  • We attempt various passwords as the current password while using intentionally mismatched new passwords.

  • A response indicating mismatched new passwords implies the current password was correct.

hashtag
Step 3: Setting Up the Brute-Force Attack

To brute-force the current password, I:

  1. Send a sample password change request to Burp Suite.

  2. Replace the username field with carlos to target their account.

  3. Mark the current password as a payload position for the attack.

  4. Use two mismatched new passwords to generate a distinguishable response.

hashtag
Step 4: Analyzing Results

  • After the attack completes, filter the responses by content length.

  • Identify the response with a differant length

  • The associated payload reveals the correct current password for Carlos's account.

hashtag
Step 5: Verification

Using the retrieved password (qwerty), I log in to Carlos's account and confirm access to the My Account page.

PreviousPassword reset poisoning via middlewareNextBroken brute-force protection, multiple credentials per request

Last updated