On this page
Password Brute-Force via Password Change
Lab
Password brute-force via password change · Practitioner
Solution
Already tired of writing the report :)
In short, nothing complicated here.
There's a route POST /my-account/change-password.
It has no brute-force protection, and we can swap the username.
There's a nuance: if you set the new password and its confirmation the same, and the current password is wrong, the server responds with a redirect.
If the passwords don't match, then 200 is returned. And if they match — also 200, but the response length will differ.
We set up the attack in Intruder. We use the provided password dictionary.
Body:
username=carlos¤t-password={pwd}&new-password-1=123&new-password-2=321
pwd here gets substituted with a password from the dictionary.
We launch the attack and sort by response length.
Password — ginger.
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.