Lab: Username enumeration via subtly different responses

Vulnerabilities in password-based login — PortSwigger Academy

4 min readOct 21, 2020

Let’s start the next Lab. This lab is similar to the last lab, but this time it will be a bit harder. First, let’s go to the login page.

Let’s start our web proxy using FoxyProxy.

Similarly, let’s logging with some simple username and password and intercept this post request. Next, we will send this request to the intruder.

Now we will enumerate for the username. Remember to click the clear button on the left and highlight the parameter you want to attack with the sniper mode. Which in this case is the username parameter.

Next, go to the payloads tab and load your payload with the username list (username and password list are given).

This time we need to go to Grep — Extract section under the options tab and add a new item.

You will see a pop-up window. Do click the fetch response button and scroll down the response until you see the sentence “Invalid username or password.”. Next, highlight that statement including the full stop, and click ok. This will add a new column on the result page.

Now let’s start our attack!

Once the attack is done, scroll through the results and you should spot one of the rows that contain the string of “Invalid username or password” but is missing a full stop. This is the subtle difference that you should look out for in the results when enumerating for the username as this could be the correct username as the result of the response is different from the rest.

I tried to log in with this username and a random password, but it still shows as invalid username. Let’s try to brute-force this account as it may be the correct username based on the different response the result get as compared to other usernames.