4. Authentication Challenge Walkthrough
My try
Before the walkthrough I tested in burp by the hint provided by the course teacher and I found out by Length: 3696 the following existing users:
root admin administrator alex
Tested each one with 1 attempt to login and got the error: " Password incorrect, added a lockout attempt "
I tested a random username which I know for sure it doesn't work and the website didn't return any message showing that something is suspicious about that.
burpsuite way
After following the walk-through findings:
In order to use combo list attacks in burpsuite we need to use the Cluster Bomb type of attack in intruder which allows us to use multiple payloads
In this case we use combo payload of usernames and another one of passwords
Since we have only 5 attempts we will try 5 most common passwords from the xato top 10 seclist and then we will test them against the most common usernames list.
ffuf way
As usual we copy the response from the Proxy > HTTP History in burpsuite over to a text file
Then we open the file change the username and password values to: FUZZUSER / FUZZPASS
CMD to make fuff do its magic:
ffuf -request req2.txt -request-proto http -mode clusterbomb -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt:FUZZUSER -w pass.txt:FUZZPASS
Arlix's AppSecExplained notes:
https://appsecexplained.gitbook.io/