Learning Web-Sec - Day 11 - Authentication Vulnerabilities
Username enumeration via response timing - PortSwigger Lab Walkthrough.
Follow me for more such content as it helps me stay motivated for writing such detailed walk-through.
Today we’ll be looking at a vulnerable login system where we will be exploiting the fact that the response takes a bit longer to get to us. This happens because the application first checks whether the username is correct and if and only if the username is correct, it will check for the password, And if the password is very long, the application takes time to process the response.
As we need to keep track of response time, We’ll be using the ZAP application it is a bit difficult to keep track of time if we use the terminal(To be honest, I did it in the terminal using the time command but I had to constantly keep checking for the response time) as we did in previous tasks/labs.
That’s all needed to know for the lab. So, let’s get into hacking.
Lab 3 - Username enumeration via response timing
Level: Practitioner
Description of Lab:
This lab is vulnerable to username enumeration using its response times. To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.
Your credentials:
wiener:peter
Hint:
To add to the challenge, the lab also implements a form of IP-based brute-force protection. However, this can be easily bypassed by manipulating HTTP request headers.
As the hint says bypassing IP-based brute-force protection can be bypassed by HTTP request headers, Let’s look into it.
And after going through a few results, I found that the ‘X-Forwarded-For’ header can be used for specifying which IP the request is coming from. So we’ll use this to attempt the lab.
Syntax :
X-Forwarded-For: <client>, <proxy1>, <proxy2>Let’s see what happens when we try brute-forcing usernames without IP-Based Brute-Force protection.
A 30 Minute IP Ban.
We will now bypass this IP ban using the header X-Forwarded-For.
For the correct username and password, We got the response in 1.19 seconds. Let’s now try a longer password.
Here we see that the response took over 13 seconds for a long password when the username is correct. Now lets check if its the case when the username is incorrect.
No, This isn’t the case when we enter a wrong username. Which means we can enumerate username using this method. So, let’s now fuzz for the usernames.
And we’ll do it our way, Using the terminal.
Going through the results, We found that the username ‘asterix’ took the most time. Which can be our possible username. To check this, Let’s try it with an even longer password.
And Yes, It took longer this time. 17 Seconds in total. So, let’s now try different passwords with the same username.
We got our attack ready and deployed.
And we got our password. All that’s left to do is login.
And we’re done with another lab.
