Lab: Username enumeration via account lock
This lab is vulnerable to username enumeration. It uses account locking, but this contains a logic flaw. To solve the lab, enumerate a valid username, brute-force this user's password, then access their "My account" page.
With Burp running, investigate the login page and submit an invalid username and password. Send the
POST /loginrequest to Burp Intruder.
Select the attack type "Cluster bomb". Add a payload position to the
usernameparameter. Add an arbitrary additional parameter to the end of the request and add a second payload position to it. For example:
- On the "Payloads" tab, add the list of usernames to the first payload set, and the numbers 1-5 as the second set. This will cause the usernames to be repeated 5 times. Start the attack.
In the results, notice that the responses for one of the usernames were longer than responses when using other usernames. Study the response more closely and notice that it contains a different error message:
You have made too many incorrect login attempts.Take note of this username.
Create a new Burp Intruder attack on the
POST /loginrequest, but this time select the "Sniper" attack type. Set the
usernameparameter to the username that you just identified and add a payload position to the
- Add the list of passwords to the payload set and create a grep extraction rule for the error message. Start the attack.
- In the results, look at the grep extract column. Notice that there are a couple of different error messages, but one of the responses did not contain any error message. Take note of this password.
- In your browser, wait for a minute to allow the account lock to reset, then log in using the credentials you identified.
- Click "My account" to solve the lab.