Lab: Username enumeration via response timing

The application will block you after few attempts

get the header checklist

https://appsecexplained.gitbook.io/appsecexplained/bypassing-controls/rate-limiting

when you put this in the header request

it will remove your restriction

then try sending like 5 attempts

it will also lock

changing the ip from 1.2.3.4 to 1.2.3.5

you will get unlocked

when you change the others headers and you still got restricted

it means that 'X-Forwarded-For:1.2.3.5'

is the only header we need

choose pitchfork it will try the number first in the set 1

then it will try the usernames in set 2

use a long string password so that we will know what is the valid username based on response data

for set 1 choose number 10-110 because we have 101 usernames in username.txt

load the usernames

ftp user is the highest response received

why? because ftp is a valid username and that's why with the password that is too long it will response also a large amount of data

now we will bruteforce for password

put ftp as username

Now we have jordan password since it returns 302 status code indicates a redirection to another page

we cant really login as of now because we have a lockout with 30mins

but we can intercept the request and use the payload 'x-forwarded'

with correct username and password

now we solved the lab

PreviousLab: Username enumeration via subtly different responsesNextLab: Brute-forcing a stay-logged-in cookie

Last updated