Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Possible bug in "Broken brute-force protection, multiple credentials per request" lab

Serhii | Last updated: Feb 02, 2022 10:05PM UTC

Hello Portswigger team, It seems like there's a bug in the lab located at https://portswigger.net/web-security/authentication/password-based/lab-broken-brute-force-protection-multiple-credentials-per-request The lab has accounts for two usernames: wiener and carlos. The passwords are accepted in the JSON format, like this: {"username": "wiener", "password": "peter"}. For user wiener, it is possible to enter his account in two ways. 1. You can supply JSON with multiple password fields, like this: {"username": "wiener", "password": "incorrect-password", "password": "wrong-password", "password": "wiener"}. It will work. 2. You can supply JSON with an array of possible passwords, like this: {"username": "wiener", "password": ["correct", "password", "is", "peter"]}. It will also work. The second way (array of possible passwords) seems to be the correct answer for this task. However, the first way (multiple password fields) only seems to work for user wiener. When I tried supplying {"username": "carlos", "password": "123456", "password": "password", ..., "password": "moon"}, it simply didn't work. It blew my mind. Why does it work for wiener, but not for carlos? I think either both methods should work for both usernames, or only one method should work for both usernames.

Michelle, PortSwigger Agent | Last updated: Feb 03, 2022 11:02AM UTC

Thanks for getting in touch. If you do a few more tests on this one and experiment with a few more settings you should find that if you use the array it will work, if any of the supplied passwords are correct, if you provide multiple password fields then the last one in the list has to be correct {"username": "wiener", "password": "incorrect-password", "password": "wrong-password", "password": "correct-password"} If you change that around and the correct password appears earlier in the list and is followed by incorrect passwords then it will fail in the same way as it does when you've used this format for the 'carlos' user account: {"username": "wiener", "password": "incorrect-password", "password": "correct-password", "password": "wrong-password"} So by using the array you're changing the way the details are being parsed, have another play and watch the behavior, I hope this helps :).

Serhii | Last updated: Feb 03, 2022 03:45PM UTC

Thanks for the detailed reply! I should pay more attention to the order of the inputs next time. :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.