Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Username enumeration via account lock

Gourav | Last updated: Aug 08, 2021 06:57PM UTC

Hi, I am not getting the required response, which contains the phrase - "You have made too many incorrect login attempts." Out of a possible 505 requests, not one has a different length and all of them have 200 status. This is the first attack in intruder for enumerating the username. I have followed every step according to the mentioned solution. But I am not getting the required response. I am using the community edition of Burp. How do I solve this?

Ben, PortSwigger Agent | Last updated: Aug 09, 2021 09:42AM UTC

Hi Gourav, They should all have the 200 response status but one of the responses should be a different length. Are you able to provide details of how you have set this up? If it is easier to provide screenshots then please feel free to email us at support@portswigger.net.

Gourav | Last updated: Aug 09, 2021 10:57AM UTC

Hi Ben, I will run the test again and share the screenshots. I know all of them should have the 200 status code. What I meant is all the requests give me the same length (3094) and I have done this lab 3-4 times so far. I have followed the solutions steps as is and also watched a few community solutions. None of them helped.

Gourav | Last updated: Aug 09, 2021 06:57PM UTC

I have sent the mail. Hoping to get this resolved soon.

Ben, PortSwigger Agent | Last updated: Aug 10, 2021 07:12AM UTC

Thanks Gourav - we have received your email so will take a look and respond there.

Adrian | Last updated: Apr 27, 2023 09:22AM UTC

Hello, I'm facing the same problem, checked all usernames 10 times and also refreshed the lab, but there is nothing with higher length than 2986 as all other requests. I've watched the community video, but it didn't helped. Please advise how to proceed further.

Ben, PortSwigger Agent | Last updated: Apr 27, 2023 04:17PM UTC

Hi Adrian, Within the Community edition of Burp, the Intruder tool is throttled and this is likely to be having an impact on this lab (and some other labs in this section of the Web Academy). If you break up your attack into smaller subsets then this should work for you i.e. rather than performing one large attack with all of the specified usernames, carry out multiple attacks with a small number of the usernames each time.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.