Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Username enumeration via response timing - ("X-Forwarded-For:" not working)

Hari | Last updated: Nov 24, 2021 03:26AM UTC

Hi, the "X-Forwarded-For:" header is not working, I tried to do lot of researches but no luck. Below are the request and response. Tried placing above and below connection still did not work. Please help, Thanks in advance =========================== Request ----------- POST /login HTTP/1.1 Host: ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net Cookie: session=ZlJCrTO5ejbD7n8sBDi0iZRZod9BK0Jl Content-Length: 386 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net/login Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close X-Forwarded-For: 501 username=wienere&password=peterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeterpeter =============== Response ------------ HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: session=zL1n8eERJ8DiQWNowuNCsYKwIyr2nAqA; Secure; HttpOnly; SameSite=None Connection: close Content-Length: 2938 <!DOCTYPE html> <html> <head> <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet> <link href=/resources/css/labs.css rel=stylesheet> <title>Username enumeration via response timing</title> </head> <body> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class='academyLabBanner'> <div class=container> <div class=logo></div> <div class=title-container> <h2>Username enumeration via response timing</h2> <a class=link-back href='https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing'> Back&nbsp;to&nbsp;lab&nbsp;description&nbsp; <svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow> <g> <polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon> <polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon> </g> </svg> </a> </div> <div class='widgetcontainer-lab-status is-notsolved'> <span>LAB</span> <p>Not solved</p> <span class=lab-status-icon></span> </div> </div> </div> </section> </div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> <section class="top-links"> <a href=/>Home</a><p>|</p> <a href="/my-account">My account</a><p>|</p> </section> </header> <header class="notification-header"> </header> <h1>Login</h1> <section> <p class=is-warning>You have made too many incorrect login attempts. Please try again in 30 minute(s).</p> <form class=login-form method=POST action=/login> <label>Username</label> <input required type=username name="username"> <label>Password</label> <input required type=password name="password"> <button class=button type=submit> Log in </button> </form> </section> </div> </section> </div> </body> </html> ===================================

Hannah, PortSwigger Agent | Last updated: Nov 24, 2021 10:54AM UTC

Hi Have you tried following along with the "Community solution" video, or following the written instructions?

Hari | Last updated: Nov 24, 2021 04:24PM UTC

Tried the both, but no luck!

Hari | Last updated: Nov 26, 2021 04:04AM UTC

Can anyone please help

Hannah, PortSwigger Agent | Last updated: Nov 26, 2021 10:48AM UTC

I can confirm that the lab is working as expected. Make sure you're using a Pitchfork attack in Intruder, so that you can use two different payload sets to keep changing your X-Forwarded-For header whilst trying all of the different username and password combinations.

Hari | Last updated: Nov 27, 2021 12:31PM UTC

Successfully completed the lab. I am using it in my office environment where X-Forwarded-For header is blocked in the firewall or some. Thinking that, now I used my personal PC and it worked. Thanks for your efforts @hannah

Hannah, PortSwigger Agent | Last updated: Nov 29, 2021 11:59AM UTC