On this page
Username Enumeration via Account Lock
Lab
Username enumeration via account lock · Practitioner
Solution
Given
This lab is vulnerable to username enumeration. It uses account locking, but this contains a logic flaw. To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.
Candidate usernames
Candidate passwords
Analyzing the task
The site uses brute-force protection — account locking. We need to use this trait to find an existing user and brute-force the password.
Recon
Let's see how the login function works and what an account lock looks like. In theory we can try some username that should obviously exist and find out how account locking works.
Tried 30 requests for admin, root, administrator. Stable Invalid username or password. No lock yet.
Changing tactics. I make a list of usernames where each name is repeated 10 times to catch the lock-out. Let's sort attack results by response length. Here's our only candidate so far — americas.
Ok, now let's set up an attack on this user's password. Sort by response length. Found americas / monkey.
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.