Ethical Hacking
  • Introduction to Information Security
    • What is Hacking?
    • Type of Hacking
    • Exercise
    • Uses of Proxy Servers
    • Summary Proxy & VPN
    • Summary
  • Gathering Information About Websites
    • Gathering Information
    • Gathering Targeted Information
  • Google Droks
  • Introduction to Web Architecture and Understanding Common Security Misconceptions
    • Web Servers
    • Web Server Architecture
    • Web Server Architecture Combinations
  • VA & PT
    • OWASP
    • SQL Injection
    • Advanced SQL Injections
    • Burp Suit
      • Client Side Validation Burp Suite Bypass
      • Client Side Validation Burp Suite Bypass
      • GET Based IDOR in URL
      • Post Based IDOR Variant
      • GET Based IDOR in URL
      • Post Based IDOR in URL
      • Download based
  • Arbitrary File Upload Vulnerabilities
    • Server Side Attack
    • Server Side Attack
    • Client Side Attack
  • Understanding Response Headers
    • Event Listeners
  • Fundamentals of Cross Site Scripting (XSS)
    • Temporary XSS
  • Understanding Forced Browsing and Session-Cookie Flaws
    • Forced Browsing
    • Cross Site Request Forgery
    • Open Redirection
  • Dictionary Based Brute Force Attacks
    • Dictionary Based Bruteforcing
    • Logical Bruteforcing
    • PII Leakage Variant
  • Identifying Security is configurations and Exploiting Outdated Web Applications
    • Information Disclosure via Descriptive Messages
    • Default Debug Pages
    • How to guess password for a standard login page
    • Default/Weak Password in Custom CMS
    • Fingerprinting Components with Known Vulnerabilities
    • Finding Exploits for Components with Known Vulnerabilities
    • Default/Weak Password in Public Software
    • Vulnerable Components Installed
    • Vulnerable Components Installed 2
    • Vulnerable Components Installed 3
  • Scanning for Bugs in WordPress and Drupal
    • What is CMS?
    • Variant 1
    • Vulnerable CMS
    • How to Scan Drupal CMS for Known Vulnerabilities?
    • Joomla CMS
  • Automating VAPT and Secure Code Development
    • information gathering
    • Nmap Scans
    • Automating VAPT:
  • POC
    • Recommendations for Documenting a Vulnerability
    • PoC
    • Types of Reports
    • Recommendations for OWASP Top 10 Vulnerabilities
    • Components of a VAPT Report
    • Vulnerability Information (for each vulnerability)
    • Bad Practices to Avoid While Writing a Report
Powered by GitBook
On this page
  1. Identifying Security is configurations and Exploiting Outdated Web Applications

Information Disclosure via Descriptive Messages

PreviousIdentifying Security is configurations and Exploiting Outdated Web ApplicationsNextDefault Debug Pages

Last updated 1 year ago

When you used this login form, did you trying some random/common username password combinations? If you tried admin as the username and as the password, the error message you get is: ‘Password is incorrect’. But if you try any other username, let’s say ‘bob’, you see the message ‘Username is incorrect’. This means that the login page is giving separate responses for correct and incorrect usernames. So, this means that with Burp Suite, we can try all common usernames and wherever we get the response as ‘Password is incorrect’ we would know that that particular username is correct. This attack is called ‘Username Enumeration’ and it can help an attacker find valid users on a web application and then target them specifically for other attacks.

Step 1: Go to the hacking challenge (The URL will be different for each user). http://13.126.231.126/General-Misconfigurations/Information-Disclosure-via-Descriptive-Messages-Variant-3/

Step 2: Now open Burp Suite and turn on the intercept.

Step 3: In the browser, enter anything in the username and password field, and click on the ‘Login’ button to intercept the request.

Step 4: Send this request to Intruder and turn off the intercept. Clear all selected parameters under the ‘Positions’ tab.

Step 5: Now select the username you entered and click on the ‘Add’ button to add. For example, if you entered the username as ‘abcd’ the request should look something like this: un=$abcd$

Step 6: Now choose ‘Attack Type Sniper’.

Step 7: You can now search for a list of common usernames online. For example, you can take the top 10 most common usernames from here: https://lifehacker.com/the-top-10-usernames-and-passwords-hackers-try-to-get-i-1762638243 Or simply copy this list: administrator Administrator user1 admin alex pos demo db2admin Admin sql

Step 8: Now in the payloads tab, set ‘payload type’ to simple list.

Step 9: Now click on the ‘paste’ option under ‘Payloads Option’ to paste the list you have copied. If your list is too big, you can even use the ‘load’ option to load a wordlist of usernames.

Step 10: Now click on ‘Start Attack’.

Step 11: When the attack completes, sort the result by clicking on the ‘Length’ column. You will see that one of the requests had a smaller length than the others and the username that was tried for that request was ‘admin’. Hence we know that ‘admin’ is a valid user.