An attacker can perform username enumeration via account lock vulnerability by attempting multiple logins on a web application or website’s login page. During this process, the attacker repeatedly enters incorrect usernames. When they enter the accurate username, the system locks them out. This process can be performed using automation tools such as Burp Suite software. When the attacker uses brute force to test valid or invalid usernames, they can determine which username is being used in the system or web application. Let’s do a practical demonstration.
Steps to solve the lab
In the lab, we have already been given a list of usernames and passwords for brute forcing, which we will use to solve the lab and exploit the vulnerability.
First, go to the login page and submit a random username and password. Intercept the request in Burp Suite.
I captured the login request and sent it to Burp Suite’s Intruder extension Username enumeration via account lock. Then, I made some modifications. Firstly, I selected the username and added it to the payload, and then added two “§§” characters to the end of the password as shown in the screenshot. I also selected the cluster bomb attack type.
Now, follow these steps:
Step 1: Go to the Payloads tab and select “Simple list” in the Set payload 1 section. Add the list of usernames that were provided in the lab to the Payload options.
Step 2: In the Payload set, select the 2nd payload and set the payload type to “Null payloads.” Then, generate the payload and start the attack.
Step 3: Once the attack is complete, analyze the length. You will notice that it is different from the original response.
Step 4: You can see the result clearly in the screenshot. I assume that this could be a potential Username enumeration via account lock, so I resend the request to Intruder and select the password this time. I keep the attack type as simple and add the list of payloads to the payload options. The list contains the names of the candidates that were already provided in the lab.
Step 5: Go to the “Grep – Extract” option, which is the most important option. Add the error that we found in the response. Then, start the attack.
When we started the attack, we analyzed the requests and found that one of the requests was completely different, without any error. This means we have successfully logged into the account.
So, yes, we have successfully solved the lab.
thanks for reading. follow me on twiter @masaudsec