Username Enumeration via Response Timing is a technique in which an attacker attempts to find the username of a web application or system. An attacker can perform a bruteforce attack on any web application by enumerating usernames, which increases the chances of logging into a user’s account and gaining access to the system or web application.
In the Username Enumeration via Response Timing technique, a hacker or attacker submits valid or invalid usernames in the login form and analyzes their response time. If the developer did not randomize the response time properly, the attacker can successfully enumerate the account’s usernames.
When an attacker enters their valid username, the response time is delayed by approximately 3 seconds. In the same way, when the attacker enters an invalid username, the response time is faster, and it takes about 1 second to show an error message.
In this lab, we have a login feature that is vulnerable to bruteforce attacks. The main vulnerability is the timing difference that exists when a user or attacker logs in. In this lab, we are provided with credentials that we will use, the username is “wiener,” and the password is “peter.” We are also given two lists, one containing usernames and the other containing passwords.
Goals of this lab
Firstly, we will enumerate the valid user. After that, we will bruteforce the password lists provided to us. Finally, we will log in to the lab and solve it.
The first step is to enumerate the username. We will access the lab and enter any random username and password to view the error message.
When I entered a random password, I received a generic error message “invalid username or password“. Now we will capture this request in Burp Suite and send it to Intruder. Remember, we are sending this request to Intruder to enumerate usernames. To enumerate usernames, we will brute force the list of possible usernames provided to us. We will also include our accurate username “wiener” in the list because the vulnerability is based on username enumeration via response timing. If there is a difference in their response times, it will confirm that the site is vulnerable.
I first intercepted the login request and sent it to the intruder. After that, I took the list of possible usernames and added it to the payload. Then, I started the attack.
We have already performed a brute force attack, but all response times were the same, which indicates that the application has a firewall in place that is blocking our multiple requests. To bypass this security measure, we need to use a header.
The header we will use is called “X-Forwarded-For”. We will add this header to our request, and then send it to the intruder. When selecting the username, we will set the X-Forwarded-For header value to “0” and add it to our attack. As our requests are sent to the server one by one, the header value will be changed each time, which will prevent the server from blocking us, and allow our attack to be performed successfully.
We used pitchfork and beatingram methods but didn’t get any specific response. The results are still the same. Now, we will use the final method, which is to enumerate usernames through the password. We will supply a long-length password and try the same method again.
As you can see, we have now entered a long password. We are clicking on “start attack” again. The results have arrived, let’s see.
As you can see, the response received time for username=announcements is quite different from all others and closest to our real user “wiener”. Let’s assume that we have found the username, now we will send this request to Intruder and try a list of passwords to start the attack.
We guessed the password correctly, and we have found it. “302” means we have successfully logged in to the account. In the last step, we used the “beatingram” feature, added the password, marked it, and added the password list to the payload, which was already provided.
Here we go, we have successfully logged in and solved the lab. If you have any questions or queries, you can ask me on Twitter at @masaudsec.