Learning Web-Sec - Day 10 - Authentication Vulnerabilities
Username Enumeration Via Subtly difference responses - PortSwigger Lab Walkthrough.
Follow me for more such content as it helps me stay motivated for writing such detailed walk-through.
Today we will solve a vulnerable password-based login lab which will provide us with insights into how a small mistake can help us narrow down the username list for further attacks, greatly saving the attacker’s time and resources.
Lab 2 - Username Enumeration Via Subtly difference responses
Level: Practitioner
Description of Lab:
This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:
To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
Let’s get hacking!
We’re going to do this through the terminal, Which means we’ll need the cURL command for the login request. Let’s make an incorrect login with a non-existent username so that we know what the response looks like when the username is wrong.
Now that we have our request captured, Let’s copy the cURL command so that we can further use it while working on the terminal (Just Like A Hacker Would).
Copied the request.
And we got the request’s response with an incorrect username in a file. What we will be doing here is getting all the responses in a file so that we can compare the response of the incorrect username with others.
Here we wrote a little bash loop to iterate over usernames and save each request’s response to the username-req file. Now we have all the responses and we’ll compare all of them with the secovfshanks-req file to check what differences we get in the two requests.
Each response had a line that had the word analytics and all of them had their separate IDs, So to remove the lines we used grep -v analytics.
And below I’ve done some more grepping to remove unnecessary lines.
Above we can see that in some files there’s a difference of “.” and a “ ”, This is what’s going to tell us the valid username. So, let’s find the file which has this output. The loop below is edited such that it will first name the username-req file and then display the difference between both of them. Using this we get that the file that differs from secovfshanks-req is adserver-req.
This means that we got our username. Now if we try the same username with a wrong password, We can see an error message where there’s no full stop at the end which confirms that the username is valid.
Now we will try all the possible passwords from the passwords file. Using the same username and a loop, we’ll get all the responses in different text files.
The username in my request is different from what we found because the lab was timed-out due to inactivity. And I had to go through the whole process again.
And in no time we’ll be done with getting the responses to the requests. And a file will stand out. The one with size 0. This indicates that “ginger” is the password.
All that’s now left to do is log in.
And we’re done with the lab.
