Comment on page
Username enumeration via different responses
This lab is vulnerable to username enumeration and password brute-force attacks.
The target site has an account with a predictable username and password, which can be found in the following wordlists:
usernames.txt
814B
Text
passwords.txt
850B
Text
To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.
Home Page

Login Page

Login Form

Login Form

Error Message
Upon Inspection of the login page, we are able to get a detailed response regarding the entered information.
Setup burp to intercept requests.

Make a login request with random credentials and intercept it with burp.

In the response of that request, we are able to see that the site returns
Invalid Username


Right-click on the
POST
request and send it to the intruder tab
Head over to the Intruder tab and clear all markings


Mark only the username field


Head over to the payloads tab under Intruder and make sure the following options are set and paste the username list for enumeration.
Payload set: 1
Payload type: Simple List

Once done, hit start attack. (ignore error, if any)


Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below.

Upon further inspection of that request, we are able to see a new error as such. This confirms that the username is indeed
application
Incorrect password

Now repeat the process all over again but target the password field with the password list while keeping the username a constant.
Right-click on the
POST
request and send it to the intruder tab
Setup the positions as such

Paste the password list where the username list was

Start the attack

Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below. The 302 status code indicates a redirect and looking at the
location
parameter in the response confirms that we have indeed got the right password. (soccer
)
Upon Logging in with the found credentials, we complete the lab.
application:soccer


✅