Burp Suite User Forum

Create new post

Concerns regarding "Lab: Username enumeration via response timing"

Eivind | Last updated: Apr 26, 2023 11:38PM UTC

Hello, I wanted to raise a concern regarding the "Lab: Username Enumeration via Response Timing" module. While the lab itself covers the technique of bypassing IP lockout using HTTP headers, the prerequisites for the lab (specifically, "https://portswigger.net/web-security/authentication" and "https://portswigger.net/web-security/authentication/password-based") do not mention or explain this technique. This made it difficult for me to complete the exercise without checking the solution, as I was not aware of the technique. It would be helpful if future modules could include all necessary information and resources to complete the exercises.

Michelle, PortSwigger Agent | Last updated: Apr 28, 2023 09:25AM UTC

Thanks for the feedback. There is a small section under the Username enumeration section that gives an overview of response times on the page you mentioned: https://portswigger.net/web-security/authentication/password-based Were you looking for more detail on the type of attack or the use of the Intruder tool for this type of attack?

Eivind | Last updated: Apr 29, 2023 02:27PM UTC

Hi Michelle, I had no trouble discovering and exploiting the response time, but I was unable to find any information on the use of X-Forwarded-For header to bypass the IP-based brute-force protection. The hint in the lab suggests that this protection can be easily bypassed by manipulating HTTP request headers, but we were not previously informed that the X-Forwarded-For header could be used for this purpose. Consequently, it was challenging to determine the solution without resorting to the answer.

Michelle, PortSwigger Agent | Last updated: May 02, 2023 07:48AM UTC

Thanks for the clarification and the feedback :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.