Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Username enumeration via account lock server timeout issue

Nathan | Last updated: Sep 25, 2020 10:22PM UTC

I'm attempting to do this Lab, but whenever the requests reach the 400s, it keeps timing out for me, giving me a 504 error. I've tried breaking up the requests into 20, 25, and even 33/33/34 per attack, but when I do that, I don't see any differences that would indicate the correct username has been found. Is there something that I may be missing? Every result looks the same: status 200, length 3256. I'm out of ideas except for Turbo intruder, but I'm not confident enough to be able to go that route...

Uthman, PortSwigger Agent | Last updated: Sep 28, 2020 09:15AM UTC

Hi Nathan, I do not appear to be having the same issue as you. Have you considered looking at a video solution on YouTube? If you think there is a bug in the lab, please either wait 15 minutes and try again or email us on support@portswigger.net with further details.

Nathan | Last updated: Sep 28, 2020 08:27PM UTC

I have, but it seems like everyone on YouTube uses the Professional edition. I forgot to mention I use the Community edition as a student, which I believe time-throttles attacks.

Uthman, PortSwigger Agent | Last updated: Sep 29, 2020 09:01AM UTC

Hi Nathan, That could be a contributing factor since the lab will keep timing out. Have you considered applying for a free trial of Pro? Please apply with your university email address.

Nathan | Last updated: Sep 30, 2020 06:36PM UTC

Hello Uthman, Thank you so much for the recommendation! The free trial of Burp Suite Professional worked perfectly, no errors! Thank you so much for your help!

Sean | Last updated: Feb 08, 2022 03:47PM UTC

So, you could fix this but you won't. How cute. Some one should sit you down and explain that if you're trying to make your software and training the industry standard it needs to work, not use it as a bait and switch to buy the paid version, which I'm sure most of us will do in the future as long as your apathy doesn't lead me to learn OWASP Zap. Figure it out

Ben, PortSwigger Agent | Last updated: Feb 09, 2022 09:48AM UTC