Burp Suite User Forum

Create new post

Username enumeration via response timing problems with X-Forwarded-For header

Daniel | Last updated: Nov 09, 2023 09:22AM UTC

Hello I am know how to solve the lab but most of the times when I pass the X-Forwarded-For:1 I have below request: POST /login HTTP/2 Host: asdsdasdasd.web-security-academy.net Cookie: session=asdasdasdasd Content-Length: 0 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://asdsdasdasd.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://asdsdasdasd.web-security-academy.net/login Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 X-Forwarded-For: 2 Username=carlos&password=123: I get following error: "Missing parameter" Can you help me out in the solution they using Connection: close before the line username. But I still face same results Thank you

Daniel | Last updated: Nov 09, 2023 09:23AM UTC

sorry the username looks like below: Username=carlos&password=123

Dominyque, PortSwigger Agent | Last updated: Nov 09, 2023 12:55PM UTC

Hi Daniel Can you please share a screen recording of your attempt at the lab so we can see the exact steps you are taking? Please send this to support@portswigger.net.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.