Day 35 comes with a resource for XSS WAF bypass and Cracking Passwords from Response Headers!
XSS WAF & character bypass like a boss
Cracking Passwords From Response Headers?
From Sam (CoffeeJunkie). After spending around 2 years doing CTFs online and presencial, one of the tasks which seemed fun and “about to pull my hair off” was cracking passwords. Remembering how Hydra worked out pretty well to crack passwords by providing wordlists, or even dumping hashes from SQL databases was a lot of fun. But, cracking passwords from Response Headers? Well, that seems a most look at!
So, this time the attacker has the chance to crack the user’s password by using the browser tools such as
Inspect Element and Network Tab. After submitting the password, in the Network Tab there is a request which contains a
.ceo extension. Later, by just looking at the Response Headers which will verify that the website is using Cloudflare. From here the attacker proceeds to check the Incorrect Difference which will check the input password in ASCII value, after that the attacker proceeds to check the Incorrect Index which will tell the position of the characters of the password and the Incorrect Lenght in order to verify the lenght of the correct and incorrect password. Therefore, by providing the correct answer the attacker won’t see incorrect headers anymore.
FULL write up here