Username enumeration via account lock
Task
This lab is vulnerable to username enumeration. It uses account locking, but this contains a logic flaw. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
Attempt
I tried brute forcing using cluster bomb but didn’t find the correct ccredentials. However, some requests got a different error You have made too many incorrect login attempts. It’s very odd since I just fired intruder with thousands of requests and most of the requests just got an incorrect error.
Turned out only ajax got that error. Highly likely this username is actually correct. Note that I tried this lab a couple of times and the correct credentials changed!
And oddly enough one of the request got no errors though it didn’t successfully log in. This is because that username got a temporary ban. Wait a bit and you can log in to the website with that password.
Thoughts
The key to solve this lab is observing the result of Intruder. Sort the result by response time, error code, length, etc. and find the clue.