Burp Suite User Forum

Create new post

Cluster bomb - Username enumeration via account lock

Samuel | Last updated: Jul 10, 2022 05:06PM UTC

Hi, Currently working on lab "Vulnerabilities in password-based login - Username enumeration via account lock", and after sending cluster bomb attack, there is no length variation for valid account. Even I divided in chunks of 20 the recommended list of usernames. Is something wrong with this lab ?

Michelle, PortSwigger Agent | Last updated: Jul 11, 2022 03:15PM UTC

Hi We've checked the lab and on steps 3 and 4 of the solution, we are seeing a difference in the length for two of the responses. Have you tried following along with the video solution provided by one of our users in the community?

RAMSHATH | Last updated: Nov 15, 2022 05:50AM UTC

Tried the same method shown in the video but was not able to get a different length variation.

Michelle, PortSwigger Agent | Last updated: Nov 15, 2022 08:31AM UTC

Hi Can you tell us a bit more about the steps you took? Are you using Burp Suite Community or Burp Suite Professional? How many usernames and passwords did you include in the attack at a time?

Rico | Last updated: Nov 27, 2022 04:32PM UTC

Please help me understand the logic of this lab. I passed it, but I don't understand one thing, that I entered all the passwords and even after the inscription that the account is blocked, I was able to log in safely.

Michelle, PortSwigger Agent | Last updated: Nov 28, 2022 11:10AM UTC

The resource materials should give you a bit more background on this type of vulnerability, there's a section that discusses account-locking on this page: https://portswigger.net/web-security/authentication/password-based I hope this helps.

Marwa | Last updated: Dec 31, 2022 03:09PM UTC

Hi, thank you in advance for your help! Is there a difference if we use Burp community VS burp professional? I have followed along with the steps, and I am stuck in enumerating the valid username. I have hit the POST /login with the Cluster mode attack type. The first payload is the username (list of candidate usernames, including "ae", and for the password, null payload as indicated, 5 times: username=§hello§&password=12345§§ This line above is to show that I paid attention to setting the null payload. I do not see a difference in the length in any of the response for any username, including ae. I did wait for a couple minutes before re launching the attack. Could you please help here? Thanks

Ben, PortSwigger Agent | Last updated: Jan 02, 2023 10:42AM UTC

Hi Marwa, Intruder is throttled in Burp Community. You may find that you need to split up your attacks if you are using the Community edition (so rather than performing a single attack using the entirety of the username list you would break this up into several smaller attacks that use a subset of the username list for each).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.