Username enumeration via different responses
https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses
Level: Apprentice
The lab provided here has a potential way to enumerate users on the
my-account
form.I will be playing this time with Burp Suite to make it "faster" and easy.
Download the 2 wordlists presented on the page
Let's use the intruder for this, to make a sniper attack and use a simple list to enumerate the users first.
As you see in the burp suite example, I filter by the length of the response.
Later that, I search for the keyword
Invalid username.
Same process to know the password
Once you get credentials login as the valid user and its respective password.
Last updated