Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

ratelimiting intruder issue / inconvenience during the auth lab

Rens | Last updated: Jun 21, 2024 10:31AM UTC

Hi Team, During the lab I ran into an issue with the rate limiting of the community edition with the Lab: Username enumeration via account lock. Here you need to lock the account to figure out the username and see what accountname is valid. The account reset is after 1 minute, and therefor with a few attempts on clusterbombing an on distinctive results, i figured that the reset would already occur during the attackcycle. I couldn't find the possibility to raise a question for adding a comment to the explainations in the lab discription so I turned here. The way I tried to "fix" the issue of the throttle is to launch multiple attacks at the same time for the lab to get to the required ammount to lock an account and see change in behavior fast enough before the reset. This can also be achieved by breaking up the accountnames in blocks to cycle through a portion of the accountnames fast enough. Hope this helps, and maybe an addional sidenote can be added to the solutions paragraph for people using the community edition. KR. Rens

Rens | Last updated: Jun 21, 2024 10:33AM UTC

PS. great job on the academy and awesome to have this content available!

Ben, PortSwigger Agent | Last updated: Jun 21, 2024 10:40AM UTC