Cracking Password of a Website from Response Headers

This tutorial is 100% for Education Purpose only. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purposes, then please leave this site immediately! We will not be responsible for any illegal actions.

In this tutorial, we will learn and try to crack the password on a simple website.

You can visit this link below, to try it by yourself:

How to crack

First step, you can try to send a request to the server by submitting a random password in the text field.

Then you go to the Inspect Element->Network tab.

Example using Google Chrome (Network Tab)

Then you will see a request in the box below:

Click on it, then see select the “Headers” tab to see the “Response Headers”

From there, you can see that the server is using Cloudflare.

And there are 3 important fields in the Response Headers that we are going to use:

  • incorrect-diff
  • incorrect-index
  • incorrect-length


Incorrect-diff stands for Incorrect Difference. This value shows the difference between the Real Password and the user input password.

It’s the value of subtraction of ASCII Value of the last correct character of Real Password and the Input Password.

What is ASCII?

ASCII (/ˈæskiː/ ( listen) ASS-kee), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices.


For instance,

  • The real password is “A”
  • The inputted password is “G”

“A” in ASCII = 65

“G” in ASCII = 71

It means the incorrect-diff = 6 (71–65)


This value means in what position of the first incorrect character of password.

Let’s say our real password is “ABC”. And your input “AAA”

The incorrect-index will be 1 because the first incorrect character in your password is in the second position (Index start from 0).


This is the True/False value indicates whether the length of the inputted password from the user is exactly the same with the real password in the server.

Let’s try it by yourself and give Applause as many as the length of the password that you found 😄.

If you enter the password correctly, in the response headers it won’t show the incorrect- fields anymore.

And you will see a correct message appears in the top of the textbox.

Thanks! 😃



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store