Burp Suite User Forum

Login to post

how to add X-Forwarded-For and what is columns in Lab Username enumeration via response timing

Elang | Last updated: Jun 01, 2020 08:16AM UTC

I dont know how to add X-Forwarded-For Header in burp suite and what is columns ? i need video for solution in Lab Username enumeration via response timing. thanks

Hannah, PortSwigger Agent | Last updated: Jun 01, 2020 10:57AM UTC

Hi You will need to add the X-Forwarded-For header in the request, along with the other HTTP headers. "Columns" refers to one of the options available along the top of the screen, where you would normally have options like "Burp, Project, Intruder, Repeater, Window, Help". As this is a recently released lab, it is unlikely that anyone has posted videos on solutions.

Nick | Last updated: Jun 03, 2020 07:12AM UTC

Elang, I hit this issue to as the instructions were not clear, so I had to do a little research. You can, and need to, manually insert the "X-Forwarded-For:" header into the POST like this: POST /login HTTP/1.1 Host: <redacted>.web-security-academy.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Forwarded-For: <---- INSERT HERE AND REMOVE THIS COMMENT Content-Type: application/x-www-form-urlencoded Content-Length: 74 Origin: https://<redacted>.web-security-academy.net Connection: close Referer: https://<redacted>.web-security-academy.net/login Cookie: session=KmjRwRiLKlKpKK8DEidAfWvwjcFtrJfq Upgrade-Insecure-Requests: 1 csrf=GmPhAzq9rqMplx2kE0c4gmj1Y63ObGBS&username=sneakyuser&password=password123 Good luck! This was a good challenge. Admins: the main issue I had is in the solution, it states in step 2: "Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection." The issue with this is HOW do we identify that X-Forwarded-For is supported, there is nothing in the header to state that it is supported, and/or that it can be inserted manually. I supposed research and additional knowledge might help here, but may need to be cleared up.

Hannah, PortSwigger Agent | Last updated: Jun 05, 2020 12:48PM UTC

We included a tip in the lab description that the HTTP request headers may need manipulating to get around the IP-based brute-force protection. The labs are intended to be challenging and to get progressively more difficult, so research and experience will definitely help in completing them. We try to get them to simulate vulnerabilities that you might find when actually testing a site.

Abhinav | Last updated: Jun 28, 2020 06:36AM UTC

I cannot find the right user even after countless tries. I tried the usernames list in the intruder. Everytime I get a different username with unusual difference between the request and response time. The results are just not consistent!

Hannah, PortSwigger Agent | Last updated: Jun 29, 2020 12:13PM UTC

Hi Abhinav Have you noticed that when the username is invalid, the response time is roughly the same, but when you enter a valid username, the response time is increased depending on the length of the password you entered. Have you tried increasing the length of the password, so that you can more easily distinguish between a valid and invalid username?

You need to Log in to post a reply. Or register here, for free.