Burp Suite User Forum

Create new post

Lab: Username enumeration via response timing question.

Kusanagi | Last updated: Jan 20, 2023 12:05AM UTC

In the above mentioned lab, using XFF header is required to bypass the bruteforce ip blocking. XFF header takes an ip address( for example), however to solve this lab the value of XFF is a number. First I used the ip address value to spoof my ip, and it worked but there were no differences in the response time so I couldn't do enumeration but once the value of XFF changed to a number it worked. Can someone explain me why? and how could I reach to that?

Hannah, PortSwigger Agent | Last updated: Jan 24, 2023 04:32PM UTC

Hi Could you provide some more detail about the issues you faced, please?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.