Burp Suite User Forum

Login to post

Cluster bomb - Username enumeration via account lock

Samuel | Last updated: Jul 10, 2022 05:06PM UTC

Hi, Currently working on lab "Vulnerabilities in password-based login - Username enumeration via account lock", and after sending cluster bomb attack, there is no length variation for valid account. Even I divided in chunks of 20 the recommended list of usernames. Is something wrong with this lab ?

Michelle, PortSwigger Agent | Last updated: Jul 11, 2022 03:15PM UTC

Hi We've checked the lab and on steps 3 and 4 of the solution, we are seeing a difference in the length for two of the responses. Have you tried following along with the video solution provided by one of our users in the community?

RAMSHATH | Last updated: Nov 15, 2022 05:50AM UTC

Tried the same method shown in the video but was not able to get a different length variation.

Michelle, PortSwigger Agent | Last updated: Nov 15, 2022 08:31AM UTC

Hi Can you tell us a bit more about the steps you took? Are you using Burp Suite Community or Burp Suite Professional? How many usernames and passwords did you include in the attack at a time?

You need to Log in to post a reply. Or register here, for free.