Username enumeration via subtly different responses

PreviousPassword reset broken logic NextUsername enumeration via response timing

Last updated 6 months ago

Was this helpful?

Username enumeration via subtly different responses

Lab Description

Walkthrough

On the login page, we see a generic error message: Invalid username or password. Our task is to determine if there's any subtle difference in the server's response for valid usernames.

Using Burp Suite, intercept the login request when attempting to log in with arbitrary credentials (e.g., test:test).

The captured request contains two key parameters:

Username: The input username.
Password: The input password.

Send this intercepted request to Intruder for automated testing.

Step 3: Enumerating Usernames

Configuring Intruder for Username Testing

Set Payload Positions:
- Clear all selected payload positions and mark only the username parameter.
Payloads:
- Go to the Payloads tab and paste the provided username list.
Start the Attack:
- Launch the attack to send the modified requests.

Analyzing Responses

Once the attack finishes, filter the results to search for any differences in responses:

Use Burp's search feature with the error message text Invalid username or password. and enable negative search.
Identify responses that deviate slightly from the standard error message.

Upon doing that, we can see that there's one username with a slightly different error message, invalid username or password. vs invalid username or passwordnotice the mission dot

guessing with a different response that this username is a valid one

Step 4: Brute-Forcing the Password

Configuring Intruder for Password Testing

Set Payload Positions:
- Modify the username parameter to the valid username (app01) identified earlier.
- Mark the password parameter as the payload position.
Payloads:
- Use the provided password list as the payload.
Start the Attack:
- Launch the attack to test passwords for the identified username

Analyzing Responses

After sorting the results by status codes, we find a request that returns a 302 Found response. This indicates that the correct password has been identified.

Step 5: Verifying Access

Using the discovered credentials (app01:qazwsx), we log into the account successfully and access the user’s account page.

PreviousPassword reset broken logic NextUsername enumeration via response timing

Last updated 6 months ago

Was this helpful?

Lab Description

Walkthrough

On the login page, we see a generic error message: Invalid username or password. Our task is to determine if there's any subtle difference in the server's response for valid usernames.

Using Burp Suite, intercept the login request when attempting to log in with arbitrary credentials (e.g., test:test).

The captured request contains two key parameters:

Username: The input username.
Password: The input password.

Send this intercepted request to Intruder for automated testing.

Step 3: Enumerating Usernames

Configuring Intruder for Username Testing

Set Payload Positions:
- Clear all selected payload positions and mark only the username parameter.
Payloads:
- Go to the Payloads tab and paste the provided username list.
Start the Attack:
- Launch the attack to send the modified requests.

Analyzing Responses

Once the attack finishes, filter the results to search for any differences in responses:

Use Burp's search feature with the error message text Invalid username or password. and enable negative search.
Identify responses that deviate slightly from the standard error message.

Upon doing that, we can see that there's one username with a slightly different error message, invalid username or password. vs invalid username or passwordnotice the mission dot

guessing with a different response that this username is a valid one

Step 4: Brute-Forcing the Password

Configuring Intruder for Password Testing

Set Payload Positions:
- Modify the username parameter to the valid username (app01) identified earlier.
- Mark the password parameter as the payload position.
Payloads:
- Use the provided password list as the payload.
Start the Attack:
- Launch the attack to test passwords for the identified username

Analyzing Responses

After sorting the results by status codes, we find a request that returns a 302 Found response. This indicates that the correct password has been identified.