Skip to main content

🗂️PortSwigger Lab Writeup: Username Enumeration via Subtly Different Responses

PortSwigger lab banner: Username enumeration via subtly different responses

🎯 Objective

The objective of this lab is to exploit an authentication weakness where the app returns a subtly different response for invalid username vs invalid password. The goal is to enumerate a valid username, brute-force its password, and log in to the account.

  • Lab URL: https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses
  • Category: Authentication
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Lab homepage screenshot showing site layout
    Login page screenshot for the vulnerable application
  • At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that first we need to find a valid username and bruteforce it's password.

📝Step 2: Enumerate Username

  • Open the BurpSuite, capture a POST request to /login and send it to Intruder Tab by Ctrl + I Burp Suite proxy capture of POST /login request
  • Add the marker on username value and set the attack type to Sniper. Burp Intruder set marker on username field (Sniper)
  • In Payloads section, set the Payload type to Simple list and paste the possible usernames provided by PortSwigger - Candiate Usernames Intruder payloads: candidate usernames list
  • In Intruder settings under Grep - Match section, add the string - Invalid username or password. as this is the normal response app returns for invalid usernames. Intruder grep-match configuration for invalid credentials string
  • After configuring everything, start the attack. Intruder attack results highlighting unique response for valid username
  • In all the payloads, you will see a unique response that did not contain the string we added in Grep-match.
  • So we see the actual response, where we can see the error message - Invalid username or password. This error message do not have a full stop (.) which can be a signal for a valid username - analyzer

🚀Step 3: Bruteforce Password

  • Now, we will bruteforce the password for the enumerated username.
  • In the Intruder Tab, now set the marker for password value and set the attack type to Sniper. Intruder marker set on password field for brute-force
  • In Payloads section, set the Payload type to Simple list and paste the possible passwords provided by PortSwigger - Candiate Passwords Intruder payloads: candidate passwords list
    • After configuring everything, start the attack. Intruder results showing 302 redirect for valid credentials
  • In all the payloads, you will see a unique response with a 302 Found.
  • So we see the actual response, where we can see that server is sending a 302 Found and redirecting to the dashboard page which means the credentials were valid.
  • This confirms the password - 131313 for username - analyzer

🧑‍💼Step 4: Log in as analyzer

  • Open the login page and copy paste the credentials extracted to log in. Login form filled with discovered credentials
  • And Finally, the Lab is solved. Lab solved confirmation screen

🧠 Conclusion

  • This lab showed how username enumeration via different responses can be abused to find valid accounts. Using Burp Intruder with the candidate lists we identified academico (response showed Invalid password) and then brute-forced the password baseball, allowing us to log in.
  • Such behavior has a serious impact — it makes targeted brute-force and account takeover much easier for attackers.
  • Fix: return a generic authentication error message, add rate-limiting / account lockouts / CAPTCHA, enable MFA, and monitor for brute-force patterns.