Open in app

Sign in

Write

Sign in

Solving Portswigger Academy:Username enumeration via different responses

Vishal
3 min readSep 4, 2024

In this write up we are going to solve the lab where we need to first enumerate the user based on responses and then brute force the password.

When we visit the lab we see below page.

Click on my account and we will see the page where we need to add username and password.

Login Page

In the starting of the lab we are provided with the list of potential username and password.

First I used some random username and password and clicked on Log in. Then sent that request to the burp intruder.

In Intruder, select the username and click on ‘Add’ button, this will tell the intruder which parameter to fuzz with the username. In Payloads tab, select payload type as Simple List and paste the username list provided by the lab.

Start the attack by clicking the Start Attack. In Results tab we see Status Code as 200 for all the requests but if you arrange the Length of responses you will notice for one username the length is different.

Different response for an user

For valid user, the application responded with Incorrect password message in response. This way we got the valid username now we need to bruteforce the password for the user.

The process for intruder will remain same. This time we provide the username we found and brute force the password.

brute forcing the password

Now filter the results depending on Status Code which is 302 in this case.

Found the correct password

Solve the challenge.

If we analyze why this application is vulnerable:

  1. The application returned the different message in response for valid user. Application should return generic message saying incorrect credentials or invalid username or password.
  2. There is no rate limit set for both for username and password.

If you don’t have Burp Pro, you can use ffuf. I copied the request in a file. Mention the word FUZZ which you want to brute force.

Command used:

ffuf -request /tmp/username_enumeration -w /tmp/username_list -fs 3140

  • request: this is the request we copied and want to fuzz
  • -w: word list of potential usernames
  • -fs: filter responses on size.

Similarly we can brut force the password. In Username add the user we discovered and FUZZ in front of password.

brute forcing password

Hope you like the write-up see you soon.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Vishal
Vishal

Written by Vishal

14 Followers
1 Following

No responses yet

Write a response

What are your thoughts?

More from Vishal

See all from Vishal

Recommended from Medium

Lists

Staff picks

827 stories1649 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2821 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams