Username Enumeration through Account Lockout

Aug 28, 2024

Web Security Academy - Lab 7: Username Enumeration via Account Lockout

Introduction

  • Today's focus: Lab number seven in the authentication module.
  • Topic: Username enumeration through account lockout logic flaw.

Overview of the Lab

  • Goal: Exploit a logic flaw to enumerate valid usernames and their passwords.
    • Steps:
      1. Enumerate valid usernames.
      2. Brute force passwords for the valid usernames.
  • Vulnerability: Username enumeration via account logging.

Lab Setup

  • Tools Used: Burp Suite (Professional version required for Intruder).
  • Starting Point: Access the lab, using Burp’s built-in browser to capture requests.

Initial Testing

  • Username Attempt: Testing with username "Carlos" and password "test".
  • Results: Invalid username/password; no lockout mechanism for invalid attempts observed.
  • Hypothesis: Valid username might trigger a lockout.

Using Burp Intruder

  1. Configure Intruder:
    • Add usernames to the attack payloads.
    • Use empty passwords to brute force usernames.
  2. Payload Settings:
    • Corrected from Pitchfork to Cluster Bomb for payload configuration.
    • Cluster bomb is necessary when different payloads are used for multiple input fields.
  3. Payload Execution:
    • Run the attack to check for lockout messages or different response lengths.

Observations During Attack

  • Received 400 status codes, indicating a missing parameter.
  • Adjusted payloads to include a value, which allowed for successful requests.
  • Monitoring for different response lengths to identify valid usernames.

Identifying Valid Username

  • Found a valid username: "acid" (indicated by a specific error message).
  • Next step: Brute force the password for the valid username.
    • Used sniper attack mode in Intruder.

Brute Forcing Passwords

  • Attempted various passwords for the username "acid".
  • Challenges: Encountered account lockout message after multiple incorrect attempts.
  • Important Note: Different response lengths during the attack indicated potential valid passwords.

Successful Login Attempt

  • After identifying candidate passwords, tried "Superman" for username "acid".
  • Outcome: Successfully logged in, indicating a logic flaw in the application's authentication mechanism.
    • Logic flaw: Correct password for a locked account does not result in an error message.

Conclusion

  • Successfully exploited a vulnerability using Burp Intruder.
  • The next lab will explore another case of broken authentication vulnerability.

Additional Notes

  • Human Element: The need for analysis in this lab cannot be fully automated through scripting.
  • Call to Action: Encouragement to like, subscribe, and check out more resources for learning.