Burp Suite User Forum

Login to post

Lab: Username enumeration via response timing - ("X-Forwarded-For:" not working)

MYPALA | Last updated: Nov 24, 2021 03:26AM UTC

Hi, the "X-Forwarded-For:" header is not working, I tried to do lot of researches but no luck. Below are the request and response. Tried placing above and below connection still did not work. Please help, Thanks in advance =========================== Request ----------- POST /login HTTP/1.1 Host: ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net Cookie: session=ZlJCrTO5ejbD7n8sBDi0iZRZod9BK0Jl Content-Length: 386 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net/login Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close X-Forwarded-For: 501 username=wienere&password=peterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeter =============== Response ------------ HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: session=zL1n8eERJ8DiQWNowuNCsYKwIyr2nAqA; Secure; HttpOnly; SameSite=None Connection: close Content-Length: 2938 <!DOCTYPE html> <html> <head> <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet> <link href=/resources/css/labs.css rel=stylesheet> <title>Username enumeration via response timing</title> </head> <body> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class='academyLabBanner'> <div class=container> <div class=logo></div> <div class=title-container> <h2>Username enumeration via response timing</h2> <a class=link-back href='https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing'> Back&nbsp;to&nbsp;lab&nbsp;description&nbsp; <svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow> <g> <polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon> <polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon> </g> </svg> </a> </div> <div class='widgetcontainer-lab-status is-notsolved'> <span>LAB</span> <p>Not solved</p> <span class=lab-status-icon></span> </div> </div> </div> </section> </div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> <section class="top-links"> <a href=/>Home</a><p>|</p> <a href="/my-account">My account</a><p>|</p> </section> </header> <header class="notification-header"> </header> <h1>Login</h1> <section> <p class=is-warning>You have made too many incorrect login attempts. Please try again in 30 minute(s).</p> <form class=login-form method=POST action=/login> <label>Username</label> <input required type=username name="username"> <label>Password</label> <input required type=password name="password"> <button class=button type=submit> Log in </button> </form> </section> </div> </section> </div> </body> </html> ===================================

Hannah, PortSwigger Agent | Last updated: Nov 24, 2021 10:54AM UTC

Hi Have you tried following along with the "Community solution" video, or following the written instructions?

MYPALA | Last updated: Nov 24, 2021 04:24PM UTC

Tried the both, but no luck!

MYPALA | Last updated: Nov 26, 2021 04:04AM UTC

Can anyone please help

Hannah, PortSwigger Agent | Last updated: Nov 26, 2021 10:48AM UTC

I can confirm that the lab is working as expected. Make sure you're using a Pitchfork attack in Intruder, so that you can use two different payload sets to keep changing your X-Forwarded-For header whilst trying all of the different username and password combinations.

You need to Log in to post a reply. Or register here, for free.