Burp Suite User Forum

Login to post

Lab: Brute-forcing a stay-logged-in cookie

Harvey | Last updated: Aug 03, 2023 11:11PM UTC

Hi there, I am working on this lab in the burp suite academy. I am having trouble resolving it, tried to follow the solutions step by step, but burp suite is not giving me the right answer. I also followed many YouTube videos about this lab, and none of them was able to help me resolve it. The request that I sent to the Intruder: GET /my-account?id=wiener HTTP/2 Host: 0aee006504e177908193434c00880047.web-security-academy.net Cookie: stay-logged-in=§d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw§; session=6nDIcCY7IC3WdbtsbqOxNgdeFU7RBPJt Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0aee006504e177908193434c00880047.web-security-academy.net/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 In the Payload setting, I pasted the passwords given to the lab, setup Payload processing rules as stated in the lab instructions, and also setup the proper grep settings. However, when the attack happens, the only responses I got from every request is in the variety of this one: HTTP/2 302 Found Location: /login Set-Cookie: session=daspUfk3P75fINvDiztQ0kKMlHlCFfC4; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 0 No response come back with the correct password, please help!

Di | Last updated: Aug 04, 2023 01:16AM UTC

+1 for this one it seems that the page for some reason is receivingonly one cookie which is "session" but not the "stay logged-in" . At least that is what dev tools are reporting if loaded in the browser. I confirmed that my payload is the same as in the original cookie so the issue must be somewhere else. Additionally: it is not mentioned in steps but at the beginnig of the request the id must be changed as well from wienner to GET /my-account?id=carlos HTTP/2 Regards

Ben, PortSwigger Agent | Last updated: Aug 04, 2023 01:30PM UTC

Hi, I think you are correct - you can either remove the id parameter in the base request or change it to carlos so it looks like either the lab itself has changed in the interim period or the written solution itself needs a little more detail. I will speak to the team to check what the best approach is and then go forward with that.

Ben, PortSwigger Agent | Last updated: Aug 07, 2023 08:02AM UTC

Hi both, Just to confirm, it looks like the lab itself was altered and we have not yet updated the lab solution to reflect the changes made. I have raised this with the content team so that they can update the solution to this lab in due course.

You need to Log in to post a reply. Or register here, for free.