Man this one should have been an expert lab and just a practitioner lab. It was hard to follow but in the end I got it.

1. Initial Setup and Observations Log In and Stay Logged In: Log in with the "Stay logged in" option enabled. Post a comment and observe the requests and responses using Burp Suite. Note the encrypted stay-logged-in cookie. Invalid Email Address Submission: Try submitting a comment with an invalid email address. Observe that a notification cookie is set and includes your email in cleartext. 2. Encryption and Decryption Exploration Burp Repeater Setup: Send the POST /post/comment request to Burp Repeater and rename the tab to "encrypt". Send the GET /post?postId=x request (with the notification cookie) to Burp Repeater and rename the tab to "decrypt". Encrypt and Decrypt Data: Use the email parameter in the "encrypt" request to generate an encrypted cookie. Use the notification cookie in the "decrypt" request to decrypt data and see the output in the error message. 3. Exploiting the Encryption Decrypt Stay-Logged-In Cookie: Copy your stay-logged-in cookie and paste it into the notification cookie in the "decrypt" request. Send the request and note the decrypted format: username:timestamp. Create Administrator Cookie: Copy the timestamp from the decrypted stay-logged-in cookie. In the "encrypt" request, set the email parameter to administrator:your-timestamp (replace your-timestamp with the actual timestamp). Send the request and copy the new encrypted notification cookie. 4. Bypassing the Encryption Prefix Handle Prefix in Decrypted Message: Decrypt the new cookie and observe the "Invalid email address: " prefix. URL-decode and Base64-decode the cookie in Burp Decoder. Adjust for Block-Based Encryption: In Burp Repeater, delete the first 23 bytes from the decoded data. Pad the email parameter with 9 characters to make the data length a multiple of 16, e.g., xxxxxxxxxadministrator:your-timestamp. Encrypt and decrypt the adjusted data to ensure it's valid. 5. Using the Self-Made Cookie Remove Prefix and Finalize Cookie: Delete 32 bytes from the start of the decoded data after ensuring the length is correct. Re-encode the data and use it as the notification cookie. Gain Admin Access: Send the GET / request with the new stay-logged-in cookie (replace the session cookie) in Burp Repeater. Verify that you are logged in as the administrator. Delete User: Browse to /admin and use the delete option to remove the user carlos (e.g., /admin/delete?username=carlos).

Thanks, Sommer, It's just amazing walkthrough

Hey Micheal.. I am facing one issue with my Burp Pro. After right clicking on first byte, I am not finding any options for deleting specific number of bytes in decoder.

The lab was interesting, great explanation also.

How did you guess it's url + b64 encoded over a random cypher ?

Thanks, this one was hard!

Thank you for video shows the lab solution of "Authentication bypass via encryption oracle". But I dont underdtand: 1. I try to replace the time-stamp parameter to any value, the lab is still successful. So, What does the time-stamp parameter mean? 2. when i change the time-stamp parameter for example xxxxxxxxxadministrator:12345. The length will no longer be a multiple of 16. why does it still work?

Tuffest practitioner lab. Now iss easy, but it was hard to wrap my head around it

this one was so hard to understand took me all morning - the trick is that the encryption output has padding bytes (added to the end) so that it will always be a multiple of 16.

why first we delete 23 first bytes but the real is to delete 32? very apreciate about to learn how to get this numbers. is a very rich content anyway, tnx a lot

dope lab

tuff one wow

can follow but i won't be able to use this technique in my real life ever....there are lot of the assumption there...which i have no clues on it.

i dont want to be rude but You confuse me alot

useless video, the BurP Suite has a different interface and options, so there is not point in using it, also many questions here are not answered.

Man this crap is not practicioner at all. Hence I have read enough pentest reports and BB writings to conclude this thing will not be common at all in the wild. When things started to get messy I just skipped it. Maybe one day I will be bored and I want some CTF,

maybe it just me but seems like there is no explanation at all in these videos, just manually saying what to click which is not a characteristic of a good lesson. the "why" part is missing so it is useless I am not sure if this teaching style is effective, seems like teaching nothing, just encouraging repeating actions which is really useless

Finally, I got it. I can't believe it's at the Practitioner level. 🥲