Authentication bypass via encryption oracle

Welcome Everyone, In this tutorial we are going to perform an authentication bypass lab from this portswigger

The steps that will be taken to solve the lab are shown in the video that is provided below.

Now that the video is here, it is assumed that you have seen it all.

In the following step, let’s examine the reasons for dropping the 23 bytes and adding the 9 bytes.

You can see that there are two requests in the video up top: POST and GET. POST is used to post a comment under any blog, while GET is used to browse a specific post’s post ID.

We will now use both for the following purposes.

POST request >> used for Encryption
GET request >> used for Decryption

As you can see, a cookie with the name “notification” is present in the GET request and is encoded.

Basically, the notification cookie is what tells us that you entered a “invalid email” which clarifies the reason you entered a “invalid email”

“Invalid email address: Hello” is how it is formatted.

Let’s now look into what we are doing and what is going on in this step.

Therefore, let’s say that when commenting on any blog, we entered the hello in an email box.

email=hello >> invalid email

Therefore, the comment above was posted using a POST request. Additionally, we receive the “notification” cookie in response to our post request, which redirects us to the blog where we attempted to leave a comment in form.

Now that it is redirecting, a GET request will be made. In the GET request, we can see that a cookie with the name “notification” is present, and in the response, we will receive the error message “Invalid email address: hello” at the beginning of the blog.

Another cookie with the name “stay-logged-in”

stay-logged-in=ZquvEKvcEVHT89b1gvaZUZdV55KmBY1BAQHmjhjuKj4%3d

Now that we are aware that the GET request is used for the description, let’s replace the “notification” cookie’s value with the “stay-logged-in” cookie before sending the request. The result is shown in the output below.

wiener:168172535048

We now confirm that the GET request can be used for the decryption.

Our final objective is to log into an administrator account, and to do that, we need the administrator user’s “stay-logged-in” value.

Therefore, “administrator:168172535048” is being encrypted.

Therefore, we have simply substituted an administrator for the “wiener” user in the cookie mentioned above.

Now, we are inserting it into the email placeholder and receiving the notification’s cookie-encrypted value.

However, because we entered an email with an invalid format, it is the encrypted value of the following, not our required value.

Invalid email address: administrator:168172535048

Considering that we only need the “administrator:168172535048” encrypted value.

The “Invalid email address: ” message is now 23 bytes long. In order to remove the notification cookie, let’s decode it.

As you can see, the cookie appears to have been url encoded, so we decoded it. After that, it appeared to have been base64 encoded, and we then received our output. At this point, let’s remove the first 23 bytes from the cookie and then encode it once more using base64 and URL encoding.

As you can see in the screenshot below

The cookie is 41 bytes long after striping 23 bytes from it.

Let’s try to decode it using a GET request, and we can see that it is showing an internal server error and stating that the length must be greater than or equal to 16.

Therefore, our next goal is to make the encoded value’s length to a multiple of 16

After taking out 23 bytes, the hex length in the example above becomes 41 bytes, which is not a multiple of 16.

Therefore, before “administrator:1681457809675”, add 9 (bytes) random characters to make it a multiple of 16 because 23 + 9 = 32.

in that case administrator email=xxxxxxxxx:1681457809675

And we are aware that the email’s above value is invalid. Thus, at the conclusion, we will receive the encrypted value of the “Invalid email address: xxxxxxxxxadministrator:1681457809675”

Thus, we will eliminate the first 32 bytes in that. Considering that the remaining value is necessary.

Now, as you can see in the example below, the POST request was used to obtain the encrypted value of the “notification” cookie.

notification=5eEo4rMpLUYIQNih2WcuF3INS6%2bWCmiWPGWFes7KZma1yo%2bWjRcPH5GQ%2bh9ekea%2f2xbdyTTZqTEgbh%2bd68yu1g%3d%3d

Now that the above cookie value has been decoded, we remove 32 bytes from its hex value because they are not necessary, leaving behind 32 bytes, which is a multiple of 16.

As you can see the whole process is in the below screenshot

Now our cookie is ready in the above screenshot

Let’s decrypt it now using the GET request so that we can see that it is displaying the output we need.

As a result, we receive the value we needed, “administrator:1681457809675”

The remaining steps are now available in the video up top.

Thank you

Welcome Everyone, In this tutorial we are going to perform an authentication bypass lab from this portswigger

The steps that will be taken to solve the lab are shown in the video that is provided below.

Now that the video is here, it is assumed that you have seen it all.

In the following step, let’s examine the reasons for dropping the 23 bytes and adding the 9 bytes.

You can see that there are two requests in the video up top: POST and GET. POST is used to post a comment under any blog, while GET is used to browse a specific post’s post ID.

We will now use both for the following purposes.

As you can see, a cookie with the name “notification” is present in the GET request and is encoded.

Basically, the notification cookie is what tells us that you entered a “invalid email” which clarifies the reason you entered a “invalid email”

“Invalid email address: Hello” is how it is formatted.

Let’s now look into what we are doing and what is going on in this step.

Therefore, let’s say that when commenting on any blog, we entered the hello in an email box.

Therefore, the comment above was posted using a POST request. Additionally, we receive the “notification” cookie in response to our post request, which redirects us to the blog where we attempted to leave a comment in form.

Now that it is redirecting, a GET request will be made. In the GET request, we can see that a cookie with the name “notification” is present, and in the response, we will receive the error message “Invalid email address: hello” at the beginning of the blog.

Another cookie with the name “stay-logged-in”

Now that we are aware that the GET request is used for the description, let’s replace the “notification” cookie’s value with the “stay-logged-in” cookie before sending the request. The result is shown in the output below.

We now confirm that the GET request can be used for the decryption.

Our final objective is to log into an administrator account, and to do that, we need the administrator user’s “stay-logged-in” value.

Therefore, “administrator:168172535048” is being encrypted.

Therefore, we have simply substituted an administrator for the “wiener” user in the cookie mentioned above.

Now, we are inserting it into the email placeholder and receiving the notification’s cookie-encrypted value.

However, because we entered an email with an invalid format, it is the encrypted value of the following, not our required value.

Considering that we only need the “administrator:168172535048” encrypted value.

The “Invalid email address: ” message is now 23 bytes long. In order to remove the notification cookie, let’s decode it.

As you can see, the cookie appears to have been url encoded, so we decoded it. After that, it appeared to have been base64 encoded, and we then received our output. At this point, let’s remove the first 23 bytes from the cookie and then encode it once more using base64 and URL encoding.

As you can see in the screenshot below

The cookie is 41 bytes long after striping 23 bytes from it.

Let’s try to decode it using a GET request, and we can see that it is showing an internal server error and stating that the length must be greater than or equal to 16.

Therefore, our next goal is to make the encoded value’s length to a multiple of 16

After taking out 23 bytes, the hex length in the example above becomes 41 bytes, which is not a multiple of 16.

Therefore, before “administrator:1681457809675”, add 9 (bytes) random characters to make it a multiple of 16 because 23 + 9 = 32.

in that case administrator email=xxxxxxxxx:1681457809675

And we are aware that the email’s above value is invalid. Thus, at the conclusion, we will receive the encrypted value of the “Invalid email address: xxxxxxxxxadministrator:1681457809675”

Thus, we will eliminate the first 32 bytes in that. Considering that the remaining value is necessary.

Now, as you can see in the example below, the POST request was used to obtain the encrypted value of the “notification” cookie.

Now that the above cookie value has been decoded, we remove 32 bytes from its hex value because they are not necessary, leaving behind 32 bytes, which is a multiple of 16.

As you can see the whole process is in the below screenshot

Now our cookie is ready in the above screenshot

Let’s decrypt it now using the GET request so that we can see that it is displaying the output we need.

As a result, we receive the value we needed, “administrator:1681457809675”

The remaining steps are now available in the video up top.

Thank you

Leave a Reply Cancel reply