| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Authentication — Account Lock Logic Flaw, Username Enumeration |
| Difficulty | Practitioner |
| Objective | Enumerate a valid username, brute-force that user's password, then access their account page |
Username Enumeration via Account Lock¶
The lab uses account locking as a brute-force defense, but the locking behavior itself is worth probing first — if the lockout only triggers for real accounts, it becomes a username oracle on its own.
I intercepted a teto:teto login request and sent it to Intruder, setting up a cluster bomb attack with payload positions on both username and password, each pulling from its respective candidate wordlist.
I added a regex filter for the common Invalid username or password. message to make any outlier responses easier to spot.
Running the attack, the username user stood out immediately — instead of the generic failure message, several attempts against it returned "You have made too many attempts."
That's the logic flaw: the lockout only fires for user, which only makes sense if it's a real account being protected. Invalid usernames don't have an account to lock, so they just keep returning the generic message indefinitely. The lockout mechanism intended to slow down brute-forcing ended up confirming exactly which username was worth targeting.
With user confirmed, I ran a sniper attack fixed on that username against the full password list.
Most attempts came back with a lockout or failure message, but one password candidate returned no message at all in the response body.
That blank response was the anomaly to flag. The account was locked mid-attack, so the correct password didn't produce a clean 302 — it just slipped through without generating a wrong-password message, which stands out against the uniform noise of everything else. Dismissing it as "inconclusive" would have meant missing the right candidate entirely.
I waited a few minutes for the lockout window to expire, then logged in directly with that password.
Lab solved