Skip to main content

🗂️ PortSwigger Lab Writeup: Username Enumeration via Different Responses

PortSwigger lab description page for Authentication - Username enumeration via different responses

🎯 Objective

The objective of this lab is to exploit an authentication weakness where the app leaks different responses for invalid username vs invalid password. The goal is to enumerate a valid username, brute-force its password, and log in to the account.

  • Lab URL: https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses
  • Category: Authentication
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Initial inspection of the shopping website layout
    Login page of lab instance
  • At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that first we need to find a valid username and bruteforce it's password.

📝Step 2: Enumerate Usernames

  • Open the BurpSuite, capture a POST request to /login and send it to Intruder Tab by Ctrl + I Burpsuite History page with /login request
  • Add the marker on username value and set the attack type to Sniper. Burpsuite Intuder Tab Screenshot with marker on username value
  • In Payloads section, set the Payload type to Simple list and paste the possible usernames provided by PortSwigger - Candiate Usernames Burpsuite Intruder Payloads Section - Payload 1
  • After configuring everything, start the attack. Burpsuite Intruder Attack results for username enumeration
  • In all the payloads, you will see a unique response with different length than others. So we see the actual response, where we can see the error message - Invalid password for username - academico
  • This error message confirms a valid username - academico

🚀Step 3: Bruteforce Password

  • Now, we will bruteforce the password for the enumerated username.
  • In the Intruder Tab, now set the marker for password value and set the attack type to Sniper. Burpsuite Intuder Tab Screenshot with marker on password value
  • In Payloads section, set the Payload type to Simple list and paste the possible passwords provided by PortSwigger - Candiate Passwords Bursupte Intruder Tab Payloads section
    • After configuring everything, start the attack. Burpsuite Intruder Attack results for password bruteforce
  • In all the payloads, you will see a unique response with different length than others. So we see the actual response, where we can see that server is sending a 302 Found and redirecting to the dashboard page which means the credentials were valid.
  • This confirms the password - baseball for username - academico

🧑‍💼Step 4: Log in as academico

  • Open the login page and copy paste the credentials extracted to log in. Login page with extracted credentials
  • And Finally, the Lab is solved. PortSwigger Lab solved confirmation after logging

🧠 Conclusion

  • This lab showed how username enumeration via different responses can be abused to find valid accounts. Using Burp Intruder with the candidate lists we identified academico (response showed Invalid password) and then brute-forced the password baseball, allowing us to log in.
  • Such behavior has a serious impact — it makes targeted brute-force and account takeover much easier for attackers.
  • Fix: return a generic authentication error message, add rate-limiting / account lockouts / CAPTCHA, enable MFA, and monitor for brute-force patterns.