Username enumeration via subtly different responses

This lab is similar to the previous one, but this time it shows a different error message - "Invalid username or password".

Once again we use Burp Suite's intruder to brute-force the username and password. On the "Options" tab, we have a section called "Grep - Extract". Here, we can select the previous error message to be shown when we are performing the attack.

During the brute-force attack, in one of the rightmost columns we have this error message displayed. Although all the messages are the same, one username displays a slightly different error, one of the error messages doesn't have a period (".").

In this case it happens to be the username "amarillo".

Now with the username, its time to try to brute-force the password, and once again then "302" response will indicate us which one is correct.

Using the new found credentials we can complete the lab.