June 30, 2026
Lab: Authentication bypass via encryption oracle ( Business logic Vulnerabilities) #lab 11
Solution:

By PRiTi.EX
2 min read
Solution:
- Turn on burp then Access the lab login using given credential, also do not forgot to check stay logged in.
- In /POST request we have stay-logged-in= cookie
- So, when ever we send request our Browser include this cookie stay-logged-in=
- Next go to any blog post and comment anything , i do it multiple time and i find out , if we do like below image we got an error that's the point.
- We see Invalid error
- So it only replied for email address.
- Next Go to burp /Post/comment & see when we put hacker in email it gives us notification= in Set-Cookie in response.
- And this request is send to next /post?postId=6 request. & notification header is use here.
- Also check in /post?postId=6 response we see Invalid email address: hacker
- Also the upper error is in notification-header. & Invalid email address: hacker is encrypted and use in notification request header. or you say it decrypted and use there.
- So solution is follow and make 2 these types in repeater tab.
- Send both requests to Burp Repeater:
POST /post/comment
GET /post?postId=x
Rename them:
encrypt
decryptPOST /post/comment
GET /post?postId=x
Rename them:
encrypt
decrypt
Next
- Copy the value of the
stay-logged-incookie and place it inside thenotificationcookie of the decrypt request. - When sent, the server decrypts and reveals: wiener:1598530205184
- This confirms the authentication cookie format: username:timestamp
- Save the timestamp value.
Generate an Administrator Cookie
Use the encryption oracle by modifying the email parameter: administrator:1598530205184
Submit the request.
The response contains a newly encrypted notification cookie representing your chosen plaintext.
- However, when decrypted, it becomes: Invalid email address: administrator:1598530205184
- The application automatically prepends: Invalid email address:
- This unwanted prefix must be removed.
Identify the Block Cipher Limitation
Decode the encrypted cookie using Burp Decoder:
URL Decode
Base64 DecodeURL Decode
Base64 DecodeAttempting to remove only the prefix bytes causes a decryption error because the application uses a block cipher with 16-byte blocks.
- Since: Invalid email address:
is 23 bytes long, deleting only those bytes breaks block alignment.
Align the Prefix
To make removal possible, pad the beginning of your payload with 9 characters: xxxxxxxxxadministrator:1598530205184
- Why 9? → 23 + 9 = 32 bytes
32 bytes equals exactly:
- 2 AES blocks
Now encrypt this payload using the encryption oracle.
Remove the Prefix Blocks
Decode the new ciphertext:
URL Decode
Base64 DecodeURL Decode
Base64 Decode- Delete the first: 32 bytes
- which correspond to: Invalid email address: xxxxxxxxx
Re-encode the ciphertext:
- Base64 Encode
- URL Encode
Insert the modified value into the notification cookie and send it to the decryption oracle.
The response now reveals:
administrator:1598530205184administrator:1598530205184The unwanted prefix has been successfully removed.
Forge the Administrator Authentication Cookie
Take the ciphertext that decrypts to: administrator:1598530205184
- Open a request to: GET /
Remove the existing session cookie and replace the stay-logged-in cookie with your forged ciphertext.
Send the request.
You are now authenticated as:
administratoradministratorAccess the Admin Panel
Browse to:
/admin/adminThe administrator interface is now accessible.
Locate the delete-user functionality and visit:
/admin/delete?username=carlos/admin/delete?username=carlosThe user carlos is deleted and the lab is solved.