July 17, 2026
Lab Walkthrough: Exploiting Username Enumeration via Different Responses
Introduction

By 5um1t0x
2 min read
Introduction
In this lab, we identify a valid username by analyzing different login error messages, then use it to find the correct password and log in successfully.
Step 1: Testing with an Invalid Username
I intercepted the login request in Burp Suite and sent a login attempt with a random username.
Request: username=autodiscover&password=admin
As you can see in the response on the right, the application returns:
This confirms that when the username does not exist, it shows a specific error message. We will compare this with the response for a valid username to enumerate users.
Step 2: Enumerating a Valid Username
Next, I sent the login request to Burp Intruder and brute-forced the username parameter with a wordlist.
In the results, almost all responses had a Length of 3352 with the message Invalid username. One payload was different:
Payload: arizona - Length: 3354
As you can see in the response, it returns:
This difference in response length and error message confirms that arizona is a valid username. I used admin as a dummy password just for enumeration.
Step 3: Confirming the Valid Username
I sent another login request using:
Username: arizona
Password: adminUsername: arizona
Password: adminThe server responded with:
This confirms that arizona is a valid username. The password is incorrect, so the next step is to test candidate passwords for this username using Burp Intruder.
Step 4: Finding the Correct Password
I used Burp Intruder to test different password candidates for the valid username:
Username: arizonaUsername: arizonaThe password austin produced a different response. This redirect confirms that austin is the correct password. I then logged in using:
The lab was successfully completed.
Conclusion
The lab was solved by identifying the valid username arizona from the different error response, then finding its password austin through Intruder. This demonstrates how different login responses can lead to username enumeration.
Powered by Sukshield
Follow me on
LinkedIn: Sumit Battani | Twitter: https://twitter.com/5um1t0x TryHackMe: TryHackMe | 5um1t0x