Lab: Username enumeration via account lock
This lab is vulnerable to username enumeration. It uses account locking, but this contains a logic flaw. To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.
With Burp running, investigate the login page and submit an invalid username and password. Send the
POST /loginrequest to Burp Intruder.
Select the attack type "Cluster bomb". Add a payload position to the
usernameparameter. Add an arbitrary additional parameter to the end of the request and add a second payload position to it. For example:
- On the "Payloads" tab, add the list of usernames to the first payload set, and the numbers 1-5 as the second set. This will cause the usernames to be repeated 5 times. Start the attack.
In the results, notice that the responses for one of the usernames were longer than responses when using other usernames. Study the response more closely and notice that it contains a different error message:
You have made too many incorrect login attempts.Make a note of this username.
Create a new Burp Intruder attack on the
POST /loginrequest, but this time select the "Sniper" attack type. Set the
usernameparameter to the username that you just identified and add a payload position to the
- Add the list of passwords to the payload set and create a grep extraction rule for the error message. Start the attack.
- In the results, look at the grep extract column. Notice that there are a couple of different error messages, but one of the responses did not contain any error message. Make a note of this password.
- Wait for a minute to allow the account lock to reset. Log in using the username and password that you identified and access the user account page to solve the lab.