| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Business Logic — Encryption Oracle Abuse |
| Difficulty | Practitioner |
| Objective | Exploit the encryption oracle to forge a stay-logged-in cookie for administrator, then delete the user carlos |
Authentication Bypass via Encryption Oracle¶
I logged in as wiener:peter with "Stay logged in" checked:
The session included an encrypted stay-logged-in cookie. Making a comment with an invalid email:
The response set a notification cookie containing the encrypted error message:
An encryption oracle is any endpoint that encrypts attacker-controlled data under the application's own key — here, the comment system encrypted the submitted email and returned the ciphertext in a cookie. The complement is a decryption oracle: any endpoint that decrypts data and reflects the result. Setting the stay-logged-in cookie as the notification cookie revealed:
wiener:1782594345726
The stay-logged-in format is username:timestamp. To become administrator, we need to forge an encrypted administrator:1782594345726.
Submitting administrator:1782594345726 as the invalid email returned an encrypted notification — but the ciphertext covers Invalid email address: administrator:1782594345726, not just our target. The prefix needs to be stripped.
Decrypting the result confirmed the full string:
Invalid email address: administrator:1782594345726
AES operates on 16-byte blocks. The prefix Invalid email address: is 23 bytes — spanning the first two blocks (bytes 0–15 and 16–31). Adding 9 bytes of padding before administrator forces the prefix to fill exactly two complete 16-byte blocks (32 bytes total), aligning our payload to a clean block boundary:
Padded email: xxxxxxxxxadministrator:1782594345726
URL-decoding and base64-decoding the resulting ciphertext in Burp Decoder, then deleting the first 32 bytes (the two encrypted prefix blocks):
Re-encoding and setting the trimmed bytes as the notification cookie to verify:
administrator:1782594345726
The trimmed ciphertext decrypted to exactly the target. I logged out and set it as the stay-logged-in cookie in the browser's storage:
Navigating to the site — logged in as administrator. Going to /admin and deleting carlos:
Lab solved