July 17, 2026
Broken brute-force protection, IP block
PortSwigger->Authentication->lab:6
By Tarif Bin Belal
2 min read
Lab Information
- Platform: PortSwigger Web Security Academy
- Category: Authentication
- Lab: Broken brute-force protection, IP block
- Difficulty: Apprentice
The purpose of this lab is to:
-
Demonstrate that brute-force protection can be bypassed if it contains a logic flaw.
-
How IP-based brute-force protection is typically implemented.
-
How logic flaws can make security controls ineffective.
SOLVE:
Understanding the Vulnerability:
Normally, after several failed login attempts, the application temporarily blocks further requests from the same IP address.
However, this lab contains a subtle logic flaw.
Instead of permanently increasing the failed-attempt counter, the application resets the counter whenever a successful login occurs.
This means an attacker can repeatedly perform:
Wrong Login
Wrong Login
Correct Login (Own Account)
Wrong Login
Wrong Login
Correct LoginWrong Login
Wrong Login
Correct Login (Own Account)
Wrong Login
Wrong Login
Correct LoginAs a result, the attacker never reaches the IP lock threshold.
Environment Setup
Before starting:
- Open the PortSwigger Lab
- Launch Burp Suite
- Open Burp Browser (Chromium)
- Configure Burp Proxy
- Navigate to the login page
Step 1 — Observe the Login Protection
Attempt to log in with:
Username: carlos
Password: testUsername: carlos
Password: testSend the request to Repeater.
Click Send multiple times.
Eventually you'll receive:
"You have made too many incorrect login attempts. Please try again in 1 minute."
This confirms that IP-based brute-force protection exists.
Step 2 — Discover the Logic Flaw
Now authenticate using the provided valid account:
Username: wiener
Password: peterUsername: wiener
Password: peterA successful login returns:
HTTP/2 302 FoundHTTP/2 302 Found
After testing different sequences, you'll notice something interesting.
Wrong
Wrong
Wrong
BlockedWrong
Wrong
Wrong
Blockedyou can do:
Wrong
Wrong
Correct (wiener)
Wrong
Wrong
Correct (wiener)Wrong
Wrong
Correct (wiener)
Wrong
Wrong
Correct (wiener)Each successful login resets the failed-login counter.
This completely defeats the protection.
Step 3 — Prepare Burp Intruder
Send the login request to Intruder.
Configure two payload positions:
- Username
- Password
Select:
Attack Type → PitchforkAttack Type → PitchforkPitchfork allows synchronized payloads for both positions.
Step 4 — Build the Payload List
Since the failed-login counter resets after every successful login, the payload list must follow a specific pattern.
Example:
carlos:test1
carlos:test2
wiener:peter
carlos:test3
carlos:test4
wiener:peter
...carlos:test1
carlos:test2
wiener:peter
carlos:test3
carlos:test4
wiener:peter
...This ensures every two failed attempts are followed by one successful login.
A simple Python script can automatically generate this sequence.
Step 5 — Configure Resource Pool
Inside Intruder:
Resource Pool
→ New Resource Pool
→ Maximum Concurrent Requests = 1Resource Pool
→ New Resource Pool
→ Maximum Concurrent Requests = 1Using a single request at a time keeps the payload sequence in the correct order.
Step 6 — Launch the Attack
Start the Intruder attack.
Watch the response status codes.
Most requests return:
200 OK200 OKEventually one request returns:
302 Found302 FoundThat indicates the correct password for carlos has been discovered.
Step 7 — Login as Carlos
Use the recovered credentials.
After logging in successfully, the lab is marked as solved.
🎉 Congratulations!