search

Username enumeration via subtly different responses

hashtag
Lab Description

hashtag
Walkthrough

hashtag
Step 1: Observing the Login Page

On the login page, we see a generic error message: Invalid username or password. Our task is to determine if there's any subtle difference in the server's response for valid usernames.

hashtag
Step 2: Capturing the Login Request

Using Burp Suite, intercept the login request when attempting to log in with arbitrary credentials (e.g., test:test).

The captured request contains two key parameters:

  • Username: The input username.

  • Password: The input password.

Send this intercepted request to Intruder for automated testing.

hashtag
Step 3: Enumerating Usernames

Configuring Intruder for Username Testing

  1. Set Payload Positions:

    • Clear all selected payload positions and mark only the username parameter.

  2. Payloads:

    • Go to the Payloads tab and paste the provided username list.

  3. Start the Attack:

    • Launch the attack to send the modified requests.

hashtag
Analyzing Responses

Once the attack finishes, filter the results to search for any differences in responses:

  • Use Burp's search feature with the error message text Invalid username or password. and enable negative search.

  • Identify responses that deviate slightly from the standard error message.

Upon doing that, we can see that there's one username with a slightly different error message, invalid username or password. vs invalid username or passwordnotice the mission dot

guessing with a different response that this username is a valid one

hashtag
Step 4: Brute-Forcing the Password

Configuring Intruder for Password Testing

  1. Set Payload Positions:

    • Modify the username parameter to the valid username (app01) identified earlier.

    • Mark the password parameter as the payload position.

  2. Payloads:

    • Use the provided password list as the payload.

  3. Start the Attack:

    • Launch the attack to test passwords for the identified username

hashtag
Analyzing Responses

After sorting the results by status codes, we find a request that returns a 302 Found response. This indicates that the correct password has been identified.

hashtag
Step 5: Verifying Access

Using the discovered credentials (app01:qazwsx), we log into the account successfully and access the user’s account page.

PreviousPassword reset broken logicNextUsername enumeration via response timing

Last updated