Portswigger - Username enumeration via subtly different responses

Jun Takemura · May 19, 2025

Username enumeration via subtly different responses

Username enumeration via subtly different responses

This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:

To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.

Attempt

Go to My account and input random credentials. Capture the request with burp.

Using Intruder start enumerating the user using the usernames in the above candidate list.

Go to Intruder > Settings > Grep Extract and add the new rule. Highlight the error message and burp will automatically extract the error message.

(You can actually use Grep Match in this case to match the exact error message as the odd case this time lacks one letter but if it includes the whole error message, that doesn’t raise anything.)

Notice argentina’s error message missing a period. (This is hard to know from the response length because of their analytics IDs)

Go back to the intruder and attack the password. daniel returns 302.

Twitter, Facebook