Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Username enumeration via account lock server timeout issue

Nathan | Last updated: Sep 25, 2020 10:22PM UTC

I'm attempting to do this Lab, but whenever the requests reach the 400s, it keeps timing out for me, giving me a 504 error. I've tried breaking up the requests into 20, 25, and even 33/33/34 per attack, but when I do that, I don't see any differences that would indicate the correct username has been found. Is there something that I may be missing? Every result looks the same: status 200, length 3256. I'm out of ideas except for Turbo intruder, but I'm not confident enough to be able to go that route...

Uthman, PortSwigger Agent | Last updated: Sep 28, 2020 09:15AM UTC

Hi Nathan, I do not appear to be having the same issue as you. Have you considered looking at a video solution on YouTube? If you think there is a bug in the lab, please either wait 15 minutes and try again or email us on support@portswigger.net with further details.

Nathan | Last updated: Sep 28, 2020 08:27PM UTC

I have, but it seems like everyone on YouTube uses the Professional edition. I forgot to mention I use the Community edition as a student, which I believe time-throttles attacks.

Uthman, PortSwigger Agent | Last updated: Sep 29, 2020 09:01AM UTC

Hi Nathan, That could be a contributing factor since the lab will keep timing out. Have you considered applying for a free trial of Pro? Please apply with your university email address.

Nathan | Last updated: Sep 30, 2020 06:36PM UTC

Hello Uthman, Thank you so much for the recommendation! The free trial of Burp Suite Professional worked perfectly, no errors! Thank you so much for your help!

Sean | Last updated: Feb 08, 2022 03:47PM UTC

So, you could fix this but you won't. How cute. Some one should sit you down and explain that if you're trying to make your software and training the industry standard it needs to work, not use it as a bait and switch to buy the paid version, which I'm sure most of us will do in the future as long as your apathy doesn't lead me to learn OWASP Zap. Figure it out

Ben, PortSwigger Agent | Last updated: Feb 09, 2022 09:48AM UTC

Hi Sean, You can still complete this particular lab with the free Community edition of Burp you would just need to split up the username attack into several smaller attacks i.e. instead of performing one Intruder attack using the 100 usernames (which requires Intruder to issue 500 requests) you would need to split up the usernames into smaller chunks (say 10 to 15 usernames) and perform multiple attacks in order to find the correct username. This is not an issue with lab as such, the issue is because Burp Intruder is throttled in the Community edition (a non-throttled version of Intruder is a paid for feature in much the same way that the Burp Scanner is also not available in the free Community edition of Burp).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.