Username enumeration via subtly different responses

This lab is subtly vulnerable to username enumeration and password brute-force attacks.

Exploitation

Username Enumeration

Submit an incorrect set of credentials to the login page and capture the POST request with burp. Then send the request to Intruder.

The only response we get after an incorrect try is Invalid username or password.. Let's try and look for that while brute forcing usernames first. Under the positions tab, mark the username field.

Under payloads, paste the given username list.

Under options, head to the Grep - Extract tab and hit add.

Highlight the phrase Invalid username or password. . this will mark this and check for this occurrence on every request. We might be able to spot a difference and maybe find the username.

Once the attack completes, sorting the grep extract reveals one request with a slightly different response compared to the rest as shown below.

We are able to see that request number 56's response is missing a full stop compared to the rest. We can assume that this was intentional by the challenge developer and take the payload as the username.

Username = alpha

Password Enumeration

With the username found, we can now replace the username in the request with the correct one and mark the password field for brute force under the positions tab.

Then head to the payloads tab, paste the given password list and start the attack!

Once the attack is completed, sorting the requests by status codes reveals a request with the status code 302. Which is often seen after a successful login.

From this we can infer that the password is dragon.