Username enumeration via different responses

Lab description

Solution

Step 1: Capturing the Login Request

The first step is to capture the login request using an interception with Burp Suite. As shown in the request, there are two parameters: username and password.

Step 2: Enumerating the Username

• Send the Intercepted Request to Intruder: In Burp Suite, send the captured request to Intruder. Clear all the selected positions and mark only the username field as a payload position.

• Configure Payloads: In the Payloads tab, paste the provided list of usernames.

• Start the Attack: Initiate the attack to test each username.

Step 3: Identifying the Valid Username

• Analyze the Responses: After the attack is completed, look at the response lengths.

  • One of the usernames will have a different response length compared to the others.

  • Upon reviewing the rendered page, this username will also display a different error message, confirming it as valid.

Upon getting the correct Username, we proceed to brute force the passwords as follows

Step 4: Brute-Forcing the Password

• Set Up the Password Attack: Repeat the same process, but this time mark the password field as the payload position. Use the provided password list as payloads.

• Start the Attack: Launch the attack to test each password.

Step 5: Identifying the Correct Password

• Analyze the Responses: Once the attack is complete, look for a response with:

  • A different length from the others.

  • A status code 302 or a success message in the response, indicating a successful login.

• Result:

  • The username and password pair is now verified, and you can use them to access the account.