Username enumeration via different responses
This lab is vulnerable to username enumeration and password brute-force attacks.
Last updated
This lab is vulnerable to username enumeration and password brute-force attacks.
Last updated
The target site has an account with a predictable username and password, which can be found in the following wordlists:
To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.
Home Page
Login Page
Upon Inspection of the login page, we are able to get a detailed response regarding the entered information.
Setup burp to intercept requests.
Make a login request with random credentials and intercept it with burp.
In the response of that request, we are able to see that the site returns Invalid Username
Right-click on the POST request and send it to the intruder tab
Head over to the Intruder tab and clear all markings
Mark only the username field
Head over to the payloads tab under Intruder and make sure the following options are set and paste the username list for enumeration.
Once done, hit start attack. (ignore error, if any)
Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below.
Upon further inspection of that request, we are able to see a new error as such. This confirms that the username is indeed application
Now repeat the process all over again but target the password field with the password list while keeping the username a constant.
Right-click on the POST request and send it to the intruder tab
Setup the positions as such
Paste the password list where the username list was
Start the attack
Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below. The 302 status code indicates a redirect and looking at the location parameter in the response confirms that we have indeed got the right password. (soccer)
Upon Logging in with the found credentials, we complete the lab.
✅
