> For the complete documentation index, see [llms.txt](https://repo.4pfsec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://repo.4pfsec.com/portswigger-labs/authentication/username-enumeration-via-subtly-different-responses.md). # Username enumeration via subtly different responses ## Exploitation ### Username Enumeration Submit an incorrect set of credentials to the login page and capture the `POST` request with burp. Then send the request to Intruder. ![](/files/dfTvLi8B37NnzSd7CXnE) ![](/files/tvjQ6JvMrMYW62lLB85y) The only response we get after an incorrect try is `Invalid username or password.`. Let's try and look for that while brute forcing usernames first. Under the positions tab, mark the username field. ![](/files/Hlesxa2CFk3vhZDq48Z1) Under payloads, paste the given username list. ![](/files/xNg10tBau7AyQ752tetm) Under options, head to the `Grep - Extract` tab and hit add. ![](/files/4R033q7Meg4x12NOFsIS) Highlight the phrase `Invalid username or password.` . this will mark this and check for this occurrence on every request. We might be able to spot a difference and maybe find the username. ![](/files/qQH0n9m4f85Dj3pffPIN) ![](/files/nHzyx2WQveGOb8QyhTue) Once the attack completes, sorting the grep extract reveals one request with a slightly different response compared to the rest as shown below. ![](/files/5l06KF2Z5WeXVQPavPzf) We are able to see that request number 56's response is missing a full stop compared to the rest. We can assume that this was intentional by the challenge developer and take the payload as the username. ```jsx Username = alpha ``` ### Password Enumeration With the username found, we can now replace the username in the request with the correct one and mark the password field for brute force under the positions tab. ![](/files/leX0iWCInTauY7isU63T) Then head to the payloads tab, paste the given password list and start the attack! ![](/files/aKFPjD4aCDfbUtFW5P2d) Once the attack is completed, sorting the requests by status codes reveals a request with the status code `302`. Which is often seen after a successful login. ![](/files/1He67FQIYjAoOzdQtpfl) From this we can infer that the password is `dragon`. ```jsx username = alpha password = dragon ``` Logging in with those credentials completed the lab! ![](/files/FEpQCEZ575Dlh14RL3Tr) ✅ --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://repo.4pfsec.com/portswigger-labs/authentication/username-enumeration-via-subtly-different-responses.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.