Username Enumeration via Different Responses
In this lab, we explore what the login process looks like and how users are informed when incorrect credentials are used.
For this exercise, we will use two lists that we see even before clicking "Access the lab":
- Candidate usernames - https://portswigger.net/web-security/authentication/auth-lab-usernames
- Candidate passwords - https://portswigger.net/web-security/authentication/auth-lab-passwords
Upon entering the lab, we are presented with this page:
We click on "My Account" because we want to access the section related to "authentication".
We see the login panel:
Let's try to enter a made-up username and password, for example, adrian:password.
We see the message: "Invalid username":
This likely means that there is no user with such a username in the system.
It's worth noting here that the error message should not reveal such information.
What instead? A better practice is to provide information like: "Invalid username or password", so as not to directly inform what was entered incorrectly.
Let's move on to Burp Suite to see what the HTTP communication looked like:
This is the POST request we used to log in.
I will use the Intruder tool to check if I can determine which of the list's users is the correct user.
I click on the request, selecting "Send to Intruder":
I go to the "Intruder" tab. In it, I select my "username" (line 23):
I click on the right side on "Add §" - so that "Intruder" takes this particular value into account and substitutes the list values that we will upload shortly.
We move to the "Payloads" tab:
From the page with usernames ( https://portswigger.net/web-security/authentication/auth-lab-usernames ), I copy all the usernames and paste them by clicking the "Paste" button:
After clicking "Paste":
We click on the right side "Start attack", then "OK" in the newly appeared window.