# Username enumeration via account lock ## Lab Description

## Walkthrough ### **Step 1: Understanding the Logic Flaw** The lab description mentions a logic flaw in account locking. Upon initial testing: 1. Using a **wrong username** results in the error: *"Invalid username or password."* 2. After repeated attempts with an **invalid username**, the account does **not** get locked, suggesting account lockouts apply **only to valid usernames**. This is an indication that we can use account lockouts as a mechanism to **enumerate valid usernames**.

The account lockout mechanism is usually triggered after multiple failed login attempts. However, we hypothesized that this logic might only apply to **valid usernames** and not invalid ones. ### **Step 2: Testing with Null Payloads** To test this: 1. **Burp Suite Intruder Configuration**: * **Payload Set**: Used the **Null Payload** option, which generates a specific number of empty payloads (in this case, 50). * This allowed us to send 50 login attempts **with the same invalid username**. 2. **Invalid Username Input**: * We used an arbitrary (allegedly invalid) username and any random password. * The payload repeatedly sent requests with this invalid username. ### **Step 3: Observing Results** After 50 repeated requests: * The error message remained the same: **"Invalid username or password."** * Importantly, no **lockout** message was displayed, and the system did not mention being locked out due to too many attempts.

### **Step 4: Enumerating Usernames** To identify valid usernames: 1. Configure **Burp Suite Intruder**. * **Payload Set 1**: Load the **Candidate Usernames** list. * **Payload Set 2**: Use **Null Payloads** (repeating each username multiple times). 2. Use the **Cluster Bomb** attack type to test each username 10 times with an invalid password. **Why repeat attempts?** * A valid username will trigger an account lockout after multiple failed login attempts. * Invalid usernames will not trigger any lockout, and the response will stay consistent.

This will make burp send each username 10 times with the wrong password to trigger the lockout ### **Step 5: Analyzing Results** 1. Use Burp Suite's **Grep - Extract** feature to highlight responses. * Filter for differences in the **error message** or **response length**.

2. A valid username will display an **account lockout message** instead of "Invalid username or password.

### **Step 6: Brute-Forcing the Password** With the valid username identified: 1. Modify the Intruder attack to focus on brute-forcing the password. * Use **Payload Set 1**: Fixed username (valid). * Use **Payload Set 2**: Candidate passwords.

### **Step 7: Observing Response Anomalies** While brute-forcing: * Notice a **response length** differs slightly, inspect the request. * A shorter response or the absence of an error message often indicates a successful login.

### **Step 8: Accessing the Account** Using the identified password, log in with the valid username and confirm access to the account page.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kruknight.gitbook.io/daemon-of-hacking/writeups/portswigger-labs/authentication/username-enumeration-via-account-lock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.