Username enumeration via different responses

Lab description

Solution

Step 1: Capturing the Login Request

The first step is to capture the login request using an interception with Burp Suite. As shown in the request, there are two parameters: username and password.

Step 2: Enumerating the Username

  • Send the Intercepted Request to Intruder: In Burp Suite, send the captured request to Intruder. Clear all the selected positions and mark only the username field as a payload position.

  • Configure Payloads: In the Payloads tab, paste the provided list of usernames.

  • Start the Attack: Initiate the attack to test each username.

Step 3: Identifying the Valid Username

  • Analyze the Responses: After the attack is completed, look at the response lengths.

    • One of the usernames will have a different response length compared to the others.

    • Upon reviewing the rendered page, this username will also display a different error message, confirming it as valid.

Upon getting the correct Username, we proceed to brute force the passwords as follows

Step 4: Brute-Forcing the Password

  • Set Up the Password Attack: Repeat the same process, but this time mark the password field as the payload position. Use the provided password list as payloads.

  • Start the Attack: Launch the attack to test each password.

Step 5: Identifying the Correct Password

  • Analyze the Responses: Once the attack is complete, look for a response with:

    • A different length from the others.

    • A status code 302 or a success message in the response, indicating a successful login.

  • Result:

    • The username and password pair is now verified, and you can use them to access the account.

PreviousAuthenticationNext2FA simple bypass

Last updated

Was this helpful?