Username enumeration via response timing

Lab Description

Walkthrough

Step 1: Initial Observations

• Upon visiting the login page, entering arbitrary credentials results in a rate-limiting error after multiple failed attempts, stating that you must wait 30 minutes.

• This indicates brute-force protection is enabled.

Step 2: Capturing and Analyzing the Login Request

1. Use Burp Suite to intercept the login request with arbitrary credentials such as test:test.

2. The intercepted request contains two key parameters:

   • Username: The entered username.

   • Password: The entered password.

3. Send this intercepted request to Intruder for automation.

Step 3: Bypassing Rate Limiting

• Based on the lab hint, the rate limiting can be bypassed by manipulating the X-Forwarded-For header to spoof the IP address.

• Test different headers until X-Forwarded-For successfully allows bypassing the rate-limiting mechanism.

The X-Forwarded-For header is commonly used by proxies to indicate the original IP address of a client. In this lab, the server uses it to track IP addresses for rate limiting. By modifying the X-Forwarded-For value to a unique one in each request, we effectively tricked the server into thinking that the requests were coming from different clients. This bypassed the IP-based rate-limiting mechanism, allowing us to continue brute-forcing without restrictions.

Step 4: Exploiting Timing Differences

The lab leverages a timing-based username enumeration vulnerability:

• When a valid username is entered, the server spends additional time verifying the password hash.

• For invalid usernames, the server rejects the request immediately after checking the username

you can read further about hashes at Passwords & Attacks

Step 5: Configuring Burp Intruder

1. Mark Payload Positions:

   • Mark X-Forwarded-For and username as payload positions.

   • Use a long password to maximize the timing difference when hashing valid usernames.

2. Set Payload Sets:

   • Payload Set 1 (X-Forwarded-For): Generate sequential numbers or IP addresses to bypass rate limiting.

   • Payload Set 2 (Username): Use the provided wordlist of usernames.

3. Attack Type:

   • Select Pitchfork Attack to test both payloads simultaneously.

Step 6: Analyzing the Results

• After executing the attack, observe the response times for each username.

• Identify the username with a noticeably longer response time. This indicates a valid username.

Step 7: Brute-Forcing the Password

1. Update the request in Burp Suite with the identified valid username.

2. Mark the password parameter as the payload position.

3. Load the provided password wordlist into Intruder.

Start the attack and observe the results.

• A 302 Found response indicates a successful login.

Step 8: Validating the Results

• Use the identified valid username and password to log into the application.

• Access the account page to confirm successful exploitation.