Burp Suite User Forum

Login to post

Username enumeration via account lock

Varun | Last updated: Jul 06, 2020 03:43PM UTC

Im getting session has locked out after every 400 requests(each time i tried its the same thing) so i tried to to use turbo intruder and while i am giving it a list of usernames it is printing unknown usernames and its going in to halted mode can anybody help me please

Varun | Last updated: Jul 06, 2020 03:43PM UTC

Im getting session has locked out after every 400 requests(each time i tried its the same thing) so i tried to to use turbo intruder and while i am giving it a list of usernames it is printing unknown usernames and its going in to halted mode can anybody help me please

Ben, PortSwigger Agent | Last updated: Jul 07, 2020 07:42AM UTC

Hi, Are you using Burp Community Edition when attempting this lab? If so, have you tried to split the supplied usernames into smaller lists (say groups of 25) in order to avoid some of the throttling that will occur when using Burp Intruder?

Advin | Last updated: Feb 21, 2021 09:06AM UTC

i've done the split but to 2 files of 50 usernames each. No timeout for the session. But there is another issue, all of the responses are identical...! all error messages are `Invalid username or password.` Am i doing something wrong or ...?

Ben, PortSwigger Agent | Last updated: Feb 22, 2021 12:11PM UTC

Hi, That does not sound quite right. As the solution states, the responses for one of the usernames should have a Length that is longer than the others (indicating that it is being handled differently). I have just run through the first part of the solution and was able to confirm that this is still functioning as expected. Are you able to provide some details of the steps that you have carried out so that we can check what you are doing? If it is easier to do this whilst also including screenshots then please feel free to send us an email at support@portswigger.net

You need to Log in to post a reply. Or register here, for free.