Username enumeration via subtly different responses
Let's click on the My account button.
We are proxying the traffic through Burp Suite.
Therefore we can find the login request in the Proxy > HTTP History tab.
Let's forward the request to the Intruder.
Once in the Intruder, let's set the payload field on the username parameter.
Now we have to set the payload type to Simple list. Once that is done, we can paste the usernames provided to us here in the Payloads settings section.
Next, in the Intruder > Settings tab, we have to go to the Grep - Extract section and clink on the Add button.
Inside the pop-up, select the following string:
Invalid username or password.
We can now start the attack.
As we can see, the request with the username parameter set to apps return a slightly different response, without the full stop.
This means that the username worked which triggered different behaviour.
Now, we have to fuzz the password. With the username parameter set to apps, add the payload filed to the password parameter.
In the Payloads tab, set the type to Sin=mple list and paste the passwords provided to us.
Let's start the attack.
The request where the password parameter was set to 1111 returned a 302 response.
Now we can login using the fuzzed credentials:
| Username | Password |
|---|---|
| apps | 1111 |
We have solved the lab.