Open in app

Sign in

Write

Sign in

Cracking Password of a Website from Response Headers

Hengky Sanjaya
Hengky Sanjaya Blog
Published in
3 min readMay 31, 2020

--

This tutorial is 100% for Education Purpose only. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purposes, then please leave this site immediately! We will not be responsible for any illegal actions.

In this tutorial, we will learn and try to crack the password on a simple website.

You can visit this link below, to try it by yourself:

https://hackme.kurniawan.ceo/

How to crack

First step, you can try to send a request to the server by submitting a random password in the text field.

Then you go to the Inspect Element->Network tab.

Example using Google Chrome (Network Tab)

Then you will see a request in the box below:

Click on it, then see select the “Headers” tab to see the “Response Headers”

From there, you can see that the server is using Cloudflare.

And there are 3 important fields in the Response Headers that we are going to use:

  • incorrect-diff
  • incorrect-index
  • incorrect-length

Incorrect-diff

Incorrect-diff stands for Incorrect Difference. This value shows the difference between the Real Password and the user input password.

It’s the value of subtraction of ASCII Value of the last correct character of Real Password and the Input Password.

What is ASCII?

ASCII (/ˈæskiː/ ( listen) ASS-kee), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices.

ASCII Table

For instance,

  • The real password is “A”
  • The inputted password is “G”

“A” in ASCII = 65

“G” in ASCII = 71

It means the incorrect-diff = 6 (71–65)

Incorrect-index

This value means in what position of the first incorrect character of password.

Let’s say our real password is “ABC”. And your input “AAA”

The incorrect-index will be 1 because the first incorrect character in your password is in the second position (Index start from 0).

Incorrect-length

This is the True/False value indicates whether the length of the inputted password from the user is exactly the same with the real password in the server.

Let’s try it by yourself and give Applause as many as the length of the password that you found 😄.

If you enter the password correctly, in the response headers it won’t show the incorrect- fields anymore.

And you will see a correct message appears in the top of the textbox.

Thanks! 😃

Ethical Hacking
Hacking
Linux
Penetration Testing
Hacker

--

--

Hengky Sanjaya
Hengky Sanjaya Blog

Written by Hengky Sanjaya

116 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams