Introduction to the Vulnerability
As we explore authentication vulnerabilities, we are faced with different challenges. This time, we will be exploring username enumeration again. However, sometimes developers do not give any clue in error messages that could indicate whether the username we are entering is valid or invalid. This is because developers know that attackers can perform username enumeration on their system or application. So, they write error messages in such a way that attackers cannot figure out what went wrong. For example, developers display error messages like ‘invalid username or password’ or ‘username or password didn’t match’ when an attacker enters wrong credentials or wrong username. When an attacker sees these types of messages, it becomes difficult for them to perform username enumeration.
In such situations, an attacker can use the technique of ‘Username Enumeration via Subtly Different Responses’ to enumerate the username and then perform a brute-force attack on the account to compromise it.
So, this is the introduction to this vulnerability. Now, let’s see how it works practically with the help of the PortSwigger Web Security Academy labs, so that you can have a clear understanding of it.
Lab Description
So, today we have a lab that is vulnerable to Username Enumeration via Subtly Different Responses. In this lab, we have to find the username and password and solve the lab. To hunt for these vulnerabilities, you need a browser and Burp Suite software. I assume that you already have a browser and have installed Burp Suite software. You can also perform these tasks easily with the free version of Burp Suite.
Our aim here is to achieve the following:
- Enumerate the username first.
- Perform a brute-force attack on the login page to find passwords.
- Gain access to the account and solve the lab.
Steps to Exploit the Vulnerability
When I accessed the lab and clicked on “My Account,” I was presented with a login page. I used a random username “masaud” and a random password “masaud.” As you can see in the screenshot, I got an “Invalid username or password” error message.
Enumerate the username
Now, what do we do next? It’s simple. We will enable our proxy and open Burp Suite. Then, we will log in again using the same credentials. After that, we will analyze the HTTP history in Burp Suite.
In the Burp Suite HTTP history, we can see that there is a POST request for “/login.” If we read the body of the request, we can see that it has “username=masaud&password=masaud” at the end. This is the same login request that we performed from the browser.
Now, we will perform username enumeration and find the username. For that, we will send this request to Intruder.
We have sent the request to Intruder. Now, we will first click the “Clear” button once or twice, and then double-click on the “username” field to add it to the Intruder attack list. Since we are performing username enumeration, we will first find the username.
If you remember, when we were accessing the lab, we were provided with a random list of usernames and passwords. So, we will use the same lists for username and password bruteforcing. Now, we will go to the payloads section, select a simple list, and paste all the usernames.
We will go to the “Options” tab and then select “Grep – Extract”. We will mark the error message that we are receiving from the web application. Remember, it should be the same error message that was generated when we tried to log in. Then, click on “OK” and start the attack by clicking on “Start Attack
When our attack is complete, we click on the length or warning tab 1, 2 or 3 times, because we want to see those requests that are different. We have found a request where a dot is missing at the end. You can see it clearly in request number 28. Now we are sure that we have the username (adkit).
Perform a Brute-force Attack
We will now select the passwords list and use it for password bruteforcing.
the different request that we received, we sent it to Intruder. And this time we selected the password.
Now, we will go to the Payloads tab and paste our password list, which was provided in the lab. Then, we will click on Start Attack.
Gain Access and Solve the Lab
You can see that when we started the attack, we received a request at number 44 which was a 302 redirect. This means that we have successfully logged in to the application.
You can see that we have successfully solved the lab. Congratulations!