Comment on page
Username enumeration via subtly different responses
This lab is subtly vulnerable to username enumeration and password brute-force attacks.
Submit an incorrect set of credentials to the login page and capture the
POSTrequest with burp. Then send the request to Intruder.
The only response we get after an incorrect try is
Invalid username or password.. Let's try and look for that while brute forcing usernames first. Under the positions tab, mark the username field.
Under payloads, paste the given username list.
Under options, head to the
Grep - Extracttab and hit add.
Highlight the phrase
Invalid username or password.. this will mark this and check for this occurrence on every request. We might be able to spot a difference and maybe find the username.
Once the attack completes, sorting the grep extract reveals one request with a slightly different response compared to the rest as shown below.
We are able to see that request number 56's response is missing a full stop compared to the rest. We can assume that this was intentional by the challenge developer and take the payload as the username.
Username = alpha
With the username found, we can now replace the username in the request with the correct one and mark the password field for brute force under the positions tab.
Then head to the payloads tab, paste the given password list and start the attack!
Once the attack is completed, sorting the requests by status codes reveals a request with the status code
302. Which is often seen after a successful login.
From this we can infer that the password is
username = alpha
password = dragon
Logging in with those credentials completed the lab!