Username enumeration via subtly different responses
https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses
Last updated
https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses
Last updated
Let's click on the My account
button.
We are proxying the traffic through Burp Suite. Therefore we can find the login request in the Proxy > HTTP History
tab.
Let's forward the request to the Intruder
. Once in the Intruder
, let's set the payload field on the username
parameter.
Now we have to set the payload type to Simple list
. Once that is done, we can paste the usernames provided to us here in the Payloads settings
section.
Next, in the Intruder > Settings
tab, we have to go to the Grep - Extract
section and clink on the Add
button.
Inside the pop-up, select the following string from the response:
We can now start the attack.
As we can see, the request with the username
parameter set to apps
return a slightly different response, without the full stop. This means that the username worked which triggered different behaviour.
Now, we have to fuzz the password. With the username
parameter set to apps
, add the payload filed to the password
parameter.
In the Payloads
tab, set the type to Simple list
and paste the passwords provided to us.
Let's start the attack.
The request where the password
parameter was set to 1111
returned a 302 response. Now we can login using the fuzzed credentials:
Username | Password |
---|---|
apps | 1111 |
We have solved the lab.