The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Username enumeration via response timing question.

Kusanagi | Last updated: Jan 20, 2023 12:05AM UTC

In the above mentioned lab, using XFF header is required to bypass the bruteforce ip blocking. XFF header takes an ip address(127.0.0.1 for example), however to solve this lab the value of XFF is a number. First I used the ip address value to spoof my ip, and it worked but there were no differences in the response time so I couldn't do enumeration but once the value of XFF changed to a number it worked. Can someone explain me why? and how could I reach to that?

Hannah, PortSwigger Agent | Last updated: Jan 24, 2023 04:32PM UTC