Username enumeration via account lock
To access the lab visit the following link:
This lab is vulnerable to username enumeration. It uses account locking, but this contains a logic flaw. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
Click on the given button to access the lab:
On the Lab’s homepage we can see “My account” option. Let’s click on that to attempt login.
Let’s login using any credentials to capture the login request using burp. In this case I used “test” as username and password.
As soon as we log in, the response from the server indicates “Invalid username or password.”
Let’s see the POST request in burp HTTP history. Right click and send that request to repeater.
To verify the login functionality, we can send the same request multiple times and observe the responses in the response tab. Interestingly, we did not encounter any account lockout during this process. This indicates that when sending incorrect usernames, the application does not trigger any account lock mechanism.
This means that the application currently lacks an account lockout feature when incorrect usernames are submitted, which could potentially be exploited for brute force attacks or other malicious activities. So let’s try to brute force the username with the provided list of usernames.
Right click on the login request and send that to intruder. In intruder position tab select Attack type to Cluster bomb.
Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the usernameparameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Click on “Add §” after the passwordparameter to mark this value as a payload position. You will see two § symbols after the password as shown in the image below.
Navigate to the “Payloads” tab in Intruder. you can see the Payload tab in the intruder section as shown below.
In the “Payload” section, make sure “Payload set 1” is selected, corresponding to the position you marked.
Under “Payload sets”, select “Simple list”.
Copy the usernames from the provided list and click on paste in intruder’s Payload section to add them.
Now, in the “Payload” section, make sure “Payload set 2” is selected, corresponding to the position you marked.
Under “Payload sets”, select “Null payloads”.
Check generate option under “Payload settings” and add 5 in the box next to it. When you check the “Generate” option and add 5 in the box, Burp Suite will generate 5 payloads. This means:
- Burp Suite will automatically create 5 different payloads based on the payload type and configuration you have selected.
- This is useful for quickly generating a set number of payloads without manually defining each one.
In this case we are doing this so we can attempt 5 “password” attacks for a single username in a list.
Now that we have set all the payloads click on “start attack” button.
Burp Suite will start sending requests with each username in our list with a corresponding password and display the results in the Intruder tab.
In results we cannot differentiate requests on basis of Status code as all of the requests returns status code 200. However, when we click on length column to find any request with different length we have identified two requests with different length.
Now, when we check the response of these requests and render it in response tab, it gives us the error message for account lock.
Note that when we sent requests for invalid usernames the server did not activate the account lock mechanism and during brute force attack when we attempted 5 logins with correct username it activated the account lock mechanism after 3 consecutive requests which means this could be the correct username.
Now that we have identified correct username let’s try to brute force password. Navigate back to the “intruder” section in burp suite.
In intruder position tab select Attack type to Sniper.
Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the passwordparameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Highlight the value of the passwordparameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
We have the password list on the lab page.
Navigate to the “Payloads” tab in Intruder and in the “Payloads set”, make sure “Payload set 1” is selected, corresponding to the position you marked.
Under “Payload sets”, select “Simple list”.
Copy the passwords provided on lab page and click on paste in intruder’s Payload section to add list.
Now that we have set all the payloads click on “start attack” button.
Burp Suite will send requests using the correct username and a list of passwords, displaying the results in the Intruder tab.
Upon finishing the attack, we can identify unique responses by clicking on the length column. We found one request with a unique response. Rendering this response in the response tab, we noticed it didn’t produce any error, indicating that this payload could be the correct password.
Let’s get back to our login page and try to login with the correct username and password we identified.
And we are successfully logged in. The lab is also marked as solved.
Congratulations! The walkthrough of seventh authentication lab finishes here.
You can see walkthrough of Eighth lab by clicking the following link:
