Using Burp to Hack Cookies and Manipulate Sessions

Access the lab

Using Burp to Brute Force a Login Page :

1. Set Up Burp Suite

• Ensure Burp is configured with your browser.
• In Burp Proxy, turn "Intercept Off" and visit the login page.

2. Capture the Login Request

• Enable "Intercept On" in Burp Proxy.
• Enter random credentials and submit the login form.
• Burp captures the request.

3. Send Request to Intruder

• Right-click the captured request → "Send to Intruder".
• Go to the Intruder tab → "Positions".
• Select username and password as payload positions.
• Set Attack Type to "Cluster bomb".

4. Configure Payloads

• In the "Payloads" tab:▪ Set Payload Set 1 (username) → Enter possible usernames.
• Set Payload Set 2 (password) → Enter possible passwords.
• Click "Start Attack".

5. Analyze Results

• Sort results by Length and Status.
• Identify successful login attempts.

6. Verify Success

• Use the discovered credentials to log in manually.

Additional Considerations :

• Account Lockout: Some sites lock accounts after multiple failed attempts.
• Verbose Error Messages: Errors revealing if a username exists can help attackers.
• Burp Scanner: Automate scanning for authentication vulnerabilities.

Steps :

1. First open this page , after doing the intercept off then login by giving username: user : password : user.
   

2. intercept on → refresh the page → then send to repeater

3. send this to repeater
   

4. click on SEND
   

5. edit the uid form 23 to 1
   

6. show response in browser
   

7. copy the link and open in the browser
   

• Now you are logged in as admin.

7. now you logged in through user but you got acces to admin account through this process,