Burp Suite User Forum

Create new post

Web Security Bug - Lab: Username enumeration via account lock

Pedro | Last updated: Mar 09, 2023 11:24AM UTC

Hello, This lab requires user enumeration via account lock, account lock is obtained after 3 failed login attempts. After we enumerate the valid username from wordlist, we should brute-force the password. I used burp intruder extension with delay of 60 seconds between each 3 attempts, what caused me to lose 30 minutes to solve this challenge when apparently as not necessary It's here that the challenge it's bad implemented because you do not need to concern about1 minute block after 3 failed attempts during the brute force to solve the challenge. It does not seem obvious to me in the description and the context of the challenge. I am reporting it as a bug, because I believe that the next solvers will have the same issue because of the misinterpretation. Waiting for review, xpto1995

Ben, PortSwigger Agent | Last updated: Mar 10, 2023 08:28AM UTC

Hi Pedro, Just to clarify, why did you think adding a delay of 1 minutes was necessary in your Intruder attack?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.