BlogToolz
Search
K
Links
Comment on page

Username enumeration via different responses

This lab is vulnerable to username enumeration and password brute-force attacks.
The target site has an account with a predictable username and password, which can be found in the following wordlists:
usernames.txt
814B
Text
passwords.txt
850B
Text
To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.

Enumeration

Home Page
Login Page
Login Form
Login Form
Error Message
Upon Inspection of the login page, we are able to get a detailed response regarding the entered information.

Exploitation

Username Enumeration

Setup burp to intercept requests.
Make a login request with random credentials and intercept it with burp.
In the response of that request, we are able to see that the site returns Invalid Username
Right-click on the POST request and send it to the intruder tab
Head over to the Intruder tab and clear all markings
Mark only the username field
Head over to the payloads tab under Intruder and make sure the following options are set and paste the username list for enumeration.
Payload set: 1
Payload type: Simple List
Once done, hit start attack. (ignore error, if any)
Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below.
Upon further inspection of that request, we are able to see a new error as such. This confirms that the username is indeed application
Incorrect password

Password Enumeration

Now repeat the process all over again but target the password field with the password list while keeping the username a constant.
Right-click on the POST request and send it to the intruder tab
Setup the positions as such
Paste the password list where the username list was
Start the attack
Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below. The 302 status code indicates a redirect and looking at the location parameter in the response confirms that we have indeed got the right password. (soccer)
Upon Logging in with the found credentials, we complete the lab.
application:soccer
PortSwigger Labs - Previous
Authentication
Next
Username enumeration via subtly different responses
Last modified 2yr ago