With Burp running, investigate the login page and submit an invalid username and password.
In Burp, go to "Proxy" > "HTTP history" and find the POST /login request. Send this to Burp Intruder.
In Burp Intruder, go to the "Positions" tab. Make sure that the attack type "Sniper" is selected.
Click "Clear" to remove any automatically assigned payload positions. In the username parameter, highlight the value and click "Add" to add a payload position to this parameter. This position will be indicated by two § symbols, for example: username=§invalid-username§
Leave the password as any static value for now.
On the "Payloads" tab, select payload type "Simple list".
Under "Payload options", paste the list of candidate usernames and click "Start attack". The attack will start in a new window.
When the attack is finished, on the "Results" tab, examine the "Length" column. Click on the column header to sort the results. Notice that one of the entries is different to the other ones.
Examine this response. Notice that other responses contain the message Invalid username, but this response says Incorrect password. Take note of this username.
Close the attack and go back to the "Positions" tab. Click "Clear" again and change the username parameter to the username you just identified. Add a payload position to the password parameter. username=identifiedUser&password=§invalid-password§
On the "Payloads" tab, clear the list of usernames and replace it with the list of candidate passwords. Then click "Start attack".
When the attack is finished, look at the "Status" column. Notice that each request returned a 200 status code, until eventually one returns 302. This suggests that the login attempt was successful. Take note of the password.
Back in your browser, log in using the username and password that you identified.
Click "My account" to solve the lab.
Want to track your progress and have a more personalized learning experience? (It's free!)