Authentication
The "Web Hacking" section are notes that I have compiled while learning using the PortSwigger Web Security Academy and from the book Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities by Vickie Li. A majority of the notes/codes are from them, however I will modify these according to my needs.
Username enumeration considerations
Username enumeration is when an attacker is able to observe changes in the website's behavior in order to identify whether a given username is valid.While attempting to brute-force a login page, you should pay particular attention to any differences in:
- Status codes
- Error messages
- Response times
Username enumeration via different responses
BurpSuite Intruder can be used to brute-force a login page in order to see which usernames and passwords work together. You start with finding out what usernames are on the system, by running the Sniper Attack Type (with a custom wordlist) on just the username portion:
username=§apache§&password=admin
Viewing the Intruder attack logs, if we see a difference in length of the response, then we have found a valid username. We then do the same for the password as well:
username=apache&password=§admin§
Since we know the username from the previous attack, we then only need the password for the full login. For this one, we view the HTTP response status codes in the Intruder window. If one is different from the rest, we have then found our password.
Username enumeration via subtly different responses
We can also use responses themselves instead of the status codes in order to find out when a username and password are correct/incorrect. An example of this is viewing the response from a website:
When the username and password are wrong:
-eb0ae23148991eb751fc3ce6d4ed561d.png)
When the username is correct and the password is wrong (notice the last period missing):
-368caf29e0f0edee5c563fa71e93ee0f.png)
We can use these strings to then use the Burp Intruder to search for those exact strings using the Grep - Match feature (under Options):
-bbc8426e38e5ea0610c460c562e0d76e.png)
When we do not see that string in the response, we can assume we have a password:
-9819a9c2bc4c11fc4d55c70722b896b5.png)
Username enumeration via response timing
We can use responses to notice differences in output from a system to notice a potential found username. This is done by adding a
X-Forwarded-For: xxxxxx
header which then allows you to bypass an IP-address limit for requests. Using the Pitchfork Attack Type you can choose different lists to use for different sections. An example query:
POST /login HTTP/1.1 Host: ace31fb61fba8c41c03d201f009d0022.web-security-academy.net
.....
Connection: close
X-Forwarded-For: §2§
username=§mysql§&password=hgjgjhghjghjgjh
You can use this to then bypass the IP-address limit and then look for responses that are different, indicating that you have potentially found a username:
-c415aff98f5da11972c629eebbaf26a8.png)
You can do the same with the password, however for the password the status column lets you know if you got the correct password.