001 | PortSwigger Lab: Username enumeration via different responses - cozyxss

This post walks through how I solved an authentication lab on PortSwigger and highlights the key things I noticed during the process.

Section 1: Solution Steps and Key Observations

Step 0: Preparation

I began by saving the lab’s provided wordlists into two files on my local machine: username.txt and passwords.txt.
I intercepted a login request with Burp Suite and sent it to the Intruder tool.

Key Takeaway 1: Why Sniper, Not Cluster Bomb?

A common question is why I didn’t immediately use the Cluster Bomb attack to brute-force both username and password simultaneously.

The reason is purely practical and efficient. The Cluster Bomb attack would require testing every combination of usernames and passwords. Given even modest wordlists, this can lead to thousands of requests (e.g., 100 usernames × 100 passwords = 10,000 requests).

This is often:

Time-consuming: Slows down the testing process significantly.
Noisy: Generates excessive traffic, which is more likely to trigger defensive mechanisms like IP blocking.
Unnecessary: We can achieve the goal with far fewer requests by breaking the problem into two smaller, more manageable steps.

Step 1: Enumerating the Username

Attack Type: I used a Sniper attack.
Target: I set the request parameter for the username as the payload position and kept the password field static with a dummy value (e.g., password=123).
Payload: I loaded the username.txt file.
Observation: After launching the attack, I sorted the results by Response Length. One username stood out with a distinctly different length than all the others.
Analysis: Inspecting the response for this unique entry, I saw the error message changed from “Invalid username” to “Incorrect password.” This confirmed I had found a valid username.

Step 2: Cracking the Password

Attack Type: I continued with a Sniper attack.
Target: I updated the original request, placing the now-known valid username in its field and setting the password parameter as the payload position.
Payload: I loaded the passwords.txt file.
Observation: This time, I monitored the Status Code. While most requests returned a 200 OK status, one request returned a 302 Found status code.
Analysis: A 302 status indicates a redirection, typically meaning the login was successful, and the server is redirecting the user to a new page (e.g., the user dashboard).

Key Takeaway 2:

Different error messages or response lengths for invalid usernames versus valid usernames with wrong passwords are a classic enumeration vulnerability.

Using the identified username and password, I successfully logged in and solved the lab.

Section 2: Lessons Learned

2.1 Efficient Brute-Force Testing

Instead of launching a massive, simultaneous attack, a smarter approach is to segment the process. First, enumerate valid usernames, then target those specific accounts for password cracking. This drastically reduces the number of requests and speeds up the process.

2.2 Critical Authentication Response Indicators

When performing brute-force testing, always monitor these key indicators in the server’s response:

Status Code: A 302 Found or any non-200 code can signal success. 200 OK often indicates failure.
Response Length: A significant change in length often reveals a different error message or a successful login page.
Error Messages: Subtle differences in wording (e.g., “Invalid username” vs. “Incorrect password”) are the most common source of username enumeration vulnerabilities.
Response Time: In some advanced scenarios, a noticeably longer response time for a valid user can also be an indicator.

2.3 What is a 302 Status Code?

A 302 Found is an HTTP status code that tells the client (your browser) that the requested resource has been temporarily moved to a different URL. In the context of authentication, a successful login often triggers a 302 redirect to a post-login page (like /my-account), while a failed attempt typically results in a 200 OK response that re-renders the login page with an error message.

cozyxss | Bug Bounty