> For the complete documentation index, see [llms.txt](https://skf.gitbook.io/asvs-write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://skf.gitbook.io/asvs-write-ups/credentials-guessing-2/credentials-guessing-2-1.md). # NodeJS - Credentials Guessing - 2 ## Running the app on Docker ``` $ sudo docker pull blabla1337/owasp-skf-lab:js-credentials-guessing-2 ``` ``` $ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-credentials-guessing-2 ``` {% hint style="success" %} Now that the app is running let's go hacking! {% endhint %} ## Reconnaissance It is very common to use very guessable and weak usernames and passwords because they are easier to use and remember. However, this ease for the users becomes a great advantage for potential attackers who are trying to crack the user's credentials. It is pretty easy for them to guess or brute force many different credentials until they get to the right ones. When we start the application we can see that there is a login form. ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/1.png) If we try with some wrong and random credentials such as: \[ admin:admin ], we don\`t get access to the inside of the website and an error message is displayed: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/2.png) ## Exploitation Provided that once the username is incorrect it will appear an error message and supossing that once it is correct, this message will not appear, we will use Burp in order to brute force different usernames and discover the right one by analysing the length of the HTTP responses for each trial. We use the "Intruder" functionality and we will load a prefixed dictionary with multiple usernames that will be tried against the website one by one. ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/3.png) ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/4.png) If we check the lenght of the different HTTP responses for each of the password that Burp tried, we find that there's one with a different length than the rest of the possibilities: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/5.png) We found something promising! This must be the desired username. We can check now sending the HTTP request using this word as the username: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/6.png) No error messages are now displayed (which means that this username must be correct): ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/7.png) Now, if we follow the same methodology for the password or we simply try the username as the password in the login form, we will get access to the inside of the website: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/8.png) ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Credentials-Guessing-2/9.png) And goal achieved! ## Additional sources {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://skf.gitbook.io/asvs-write-ups/credentials-guessing-2/credentials-guessing-2-1.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.