Username enumeration via response timing

Jun Takemura · May 20, 2025

Username enumeration via response timing

Username enumeration via response timing

Task

This lab is vulnerable to username enumeration using its response times. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.

Your credentials: wiener:peter
Candidate usernames
Candidate passwords

Attempt

Use Intruder against the login form to enumerate the correct username. But after the 2nd payload, I got too many incorrect login attempts error. Add the X-Forwarded-For header and using Pitchfork, spoof your IP address.

Since this website doesn’t give you any overt error message indicating only your password is incorrect, you need to set a super strong password so that the server needs to take a long time to process.

![[Pasted image 20250520225849.png]]

You can generate a pseudo-random string like this and copy it to the clipboard:

< /dev/urandom tr -dc 'a-zA-Z0-9' | head -c128 | xclip -selection clipboard

After identifying the correct username, go brute-force the password and log in to the website!

Thoughts

Though I just blasted intruder and performed a brute-force attack, this is not realistic because in real environments you don’t know what kind of vulnerability they have and also an attempt of brute-forcing is often prohibited by rules. And you know that 128-letter password is too long for most websites.

Twitter, Facebook