Burp Suite User Forum

Login to post

Bug on "Lab: Username enumeration via account lock"

Eren | Last updated: Jun 01, 2022 09:04PM UTC

Hello, I tried every way to solve the lab but I couldn't get any results. I think there is something wrong with some labs. I faced the same problem before. Should i send email to support's mail?

Liam, PortSwigger Agent | Last updated: Jun 02, 2022 05:59AM UTC

Thanks for your message. Have you tried following the community solution?

Eren | Last updated: Jun 02, 2022 02:02PM UTC

Yeah i tried everything. Your solution, community solution and other sources. So, you can reset the labs or you will accept the labs like solved. How it will happen?

Liam, PortSwigger Agent | Last updated: Jun 03, 2022 06:57AM UTC

The labs are passing in our testing. Are you still encountering this issue?

Eren | Last updated: Jun 03, 2022 05:21PM UTC

Yeah its still there. I send ss about this. https://img.ssyukle.com/image/NNOJ83 https://img.ssyukle.com/image/NNONhy

Sepsev | Last updated: Jun 03, 2022 09:42PM UTC

Hello. I'm experiencing the same issue as well. According to step 4 of the community solution, we should receive a message about the account being locked in the response once we've exceeded the failed attempts threshold for a single account. Step 4 says the following verbatim... "In the results, notice that the responses for one of the usernames were longer than responses when using other usernames. Study the response more closely and notice that it contains a different error message: You have made too many incorrect login attempts. Make a note of this username." I ran a sniper attack with Intruder using the valid "Wiener" username and all 100 candidate passwords (none of which was the correct password) as the payload. None of the responses returned, "You have made too many incorrect login attempts" and all responses had the same exact length. This was a test to confirm we are not exceeding the failed attempt threshold. Without a set threshold, we cannot progress through the remaining steps for the "Username enumeration via account lock" lab.

Ben, PortSwigger Agent | Last updated: Jun 07, 2022 07:19AM UTC

Hi, On a general note, If you are using Burp Community then we would recommend that you split up your attacks into smaller subsets in order to better handle the throttling that occurs within Intruder in this edition of Burp i.e. break the usernames down into smaller sets and run multiple attacks. @Sepsev, have you tried running through the initial steps of the solution rather than attempting your approach - 'wiener' is not a valid username for this particular lab.

You need to Log in to post a reply. Or register here, for free.