Username enumeration via subtly different responses

This lab is similar to the previous one, but this time it shows a different error message - "Invalid username or password".

Once again we use Burp Suite's intruder to brute-force the username and password. On the "Options" tab, we have a section called "Grep - Extract". Here, we can select the previous error message to be shown when we are performing the attack.

During the brute-force attack, in one of the rightmost columns we have this error message displayed. Although all the messages are the same, one username displays a slightly different error, one of the error messages doesn't have a period (".").

In this case it happens to be the username "amarillo".

Now with the username, its time to try to brute-force the password, and once again then "302" response will indicate us which one is correct.

Using the new found credentials we can complete the lab.

PreviousUsername Enumeration via different responses NextUsername enumeration via response timing

Last updated 4 years ago

Was this helpful?