Burp Suite User Forum

Create new post

how to add X-Forwarded-For and what is columns in Lab Username enumeration via response timing

Sam4n | Last updated: Jun 01, 2020 08:16AM UTC

I dont know how to add X-Forwarded-For Header in burp suite and what is columns ? i need video for solution in Lab Username enumeration via response timing. thanks

Hannah, PortSwigger Agent | Last updated: Jun 01, 2020 10:57AM UTC

Hi You will need to add the X-Forwarded-For header in the request, along with the other HTTP headers. "Columns" refers to one of the options available along the top of the screen, where you would normally have options like "Burp, Project, Intruder, Repeater, Window, Help". As this is a recently released lab, it is unlikely that anyone has posted videos on solutions.

Nick | Last updated: Jun 03, 2020 07:12AM UTC

Elang, I hit this issue to as the instructions were not clear, so I had to do a little research. You can, and need to, manually insert the "X-Forwarded-For:" header into the POST like this: POST /login HTTP/1.1 Host: <redacted>.web-security-academy.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Forwarded-For: <---- INSERT HERE AND REMOVE THIS COMMENT Content-Type: application/x-www-form-urlencoded Content-Length: 74 Origin: https://<redacted>.web-security-academy.net Connection: close Referer: https://<redacted>.web-security-academy.net/login Cookie: session=KmjRwRiLKlKpKK8DEidAfWvwjcFtrJfq Upgrade-Insecure-Requests: 1 csrf=GmPhAzq9rqMplx2kE0c4gmj1Y63ObGBS&username=sneakyuser&password=password123 Good luck! This was a good challenge. Admins: the main issue I had is in the solution, it states in step 2: "Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection." The issue with this is HOW do we identify that X-Forwarded-For is supported, there is nothing in the header to state that it is supported, and/or that it can be inserted manually. I supposed research and additional knowledge might help here, but may need to be cleared up.

Hannah, PortSwigger Agent | Last updated: Jun 05, 2020 12:48PM UTC

We included a tip in the lab description that the HTTP request headers may need manipulating to get around the IP-based brute-force protection. The labs are intended to be challenging and to get progressively more difficult, so research and experience will definitely help in completing them. We try to get them to simulate vulnerabilities that you might find when actually testing a site.

Abhinav | Last updated: Jun 28, 2020 06:36AM UTC

I cannot find the right user even after countless tries. I tried the usernames list in the intruder. Everytime I get a different username with unusual difference between the request and response time. The results are just not consistent!

Hannah, PortSwigger Agent | Last updated: Jun 29, 2020 12:13PM UTC

Hi Abhinav Have you noticed that when the username is invalid, the response time is roughly the same, but when you enter a valid username, the response time is increased depending on the length of the password you entered. Have you tried increasing the length of the password, so that you can more easily distinguish between a valid and invalid username?

Khaled | Last updated: Oct 09, 2021 01:45PM UTC

i have this ' You have made too many incorrect login attempts. Please try again in 30 minute(s). ' despite changing x-forwarded-for

Khaled | Last updated: Oct 09, 2021 01:45PM UTC

i have this ' You have made too many incorrect login attempts. Please try again in 30 minute(s). ' despite changing x-forwarded-for

Hannah, PortSwigger Agent | Last updated: Oct 11, 2021 10:07AM UTC

Hi The labs will reset completely after 15 minutes of inactivity - at which point you can relaunch the lab for a fresh copy. Have you tried following any video tutorials?

Kate | Last updated: Feb 01, 2023 10:15PM UTC

Hello, I've been trying to understand how to identify that the headers accept X-Forwarded-For, but I can't find a resource that explains this. Would it be possible to point me in the right direction for my own understanding on what to look for in future cases? Thank you! -Kate

Hannah, PortSwigger Agent | Last updated: Feb 02, 2023 09:43AM UTC

The BApp Store extension "Param Miner" is an easy way to identify supported headers.

Samin | Last updated: Sep 02, 2023 09:08AM UTC

when I try to use x forwarded for in burp it says missing parameter. What is the problem? It is saying that it is in line 6 which is a sec-ch-ua.

Ben, PortSwigger Agent | Last updated: Sep 04, 2023 07:45AM UTC

Hi Samin, Are you able to share some details of the request that you are trying to send so that we can see this more clearly?

RoastedPeanut | Last updated: Oct 30, 2023 08:22PM UTC

I may be a little late to the party but for what its worth: Each HTTP request should have a "X-Forwarded-For:" header with a different value compared to the previous one. For example your first request could have "X-Forwarded-For: 1", the second would have "X-Forwarded-For: 2" etc - you iterate the value of the header every time you try a new username/password. I was a little surprised the above worked because according to Wikipedia (https://en.wikipedia.org/wiki/X-Forwarded-For) the value of this header when used legitimately is supposed to be an IP address. Looks like this IP addres is an arbitrary value as well so even if the application only accepts an IP address as the value of this header, you are able to fiddle with the Payload settings in Intruder to iterate within a realistic IP range. The important part is that the application expects the value of the header to be different with every request. Also, the Pitchfor attack in Intruder is your friend :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.