BOOK THIS SPACE FOR AD
ARTICLE ADHello guys.
My name is Sohail Ahmed and this is my first writeup about an attack scenerio that I learned from solving Portswigger labs.
Most of you guys know, how to do an Intruder Attack. Right?
Send the request to Intruder, select params, load a payload and Start Attack, but there is a lot more than that which we can do in different cases. I want to share some cases that might occur while we are brute forcing.
Case 1: Simple Username/Password Enumeration
In this case, the steps are very easy. I guess most of the bug bounty huntes do know this.
Send the request to Intruder, Select parameters, load a payload and Start the attack. Check the Status/length and whichever status/length is different that means that the username/password is valid and all other that have same length/status are invalid.
Case 2: UNAME Enumeration via subtly different responses.
In this case, the steps are same but there is an addition. Sometimes, the status/length is same even for the correct/valid password/username. There might be a possibility that there will be some change in the response of the request which contains the correct passwd/uname. So, for this we can use “Grep — Extract” which can be found on the “Options” tab.
Before starting the attack, we will go to the Options tab and scroll down to “Grep-Extract” and then Add -> Fetch Response. Here we will find the responses that we have received before and we will search for the error message for example, the error message is “Invalid username or password. “ we will select this whole and then we will start the attack. After the attack we can notice that are all the responses still same or if some response is a bit change from this “Invalid username or password. “. In this way, if the response is different we will know it maybe the correct password’s response is something like “Invalid username or password “ with the full stop (.) sign. To practice this case you can solve this lab https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses This will help you understand this case more.
Case 3: Bypassing Rate Limit.
We can use X-Forwarded-For header if it is supported. This can bypass the Rate Limit and we can submit as many request as we want by simply changing the IP. For this case, we just have to insert the following header in the request.
X-Forwarded-For: 127.0.0.1
We will have to brute force the IP and also the other parameter which we want to enumerate. For the IP we will brute force the .1 part. We will select this 1 and the other parameter.
Now how will we set 2 different payloads for 2 different Parameters?
There is an attack type called “Pitchfork” that I learned from this. We can select 2 different payloads for the 2 different parameters. How to do this?
Select both parameters and change the attack type to Pitchfork. Go to the Payloads tab and click on Payload set there will be options depending on the payloads that you have selected. 1 2 3 4 depending on how many params you have selected and you can load different payloads for different parameters and then start the attack. If someone is interested in solving this lab then please have a look at the below lab.
There are other labs for Intruder attacks which you can check and learns different techniques. I would recommend every beginner to go visit this and learn these things.
Lastly, I want to say that this was my first blog so if something seems not right please do let me know and I might correct it. I just wanted to share this thing that I learned and thought it might motivate others as well so I shared this. I am also a learner and this is just for those people who ask me where to learn and what to learn.
Thank you for reading :)