π΅Username enumeration via subtly different responses
This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:
Candidate usernames
Candidate passwords
To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.
We will be enumerating username field first.
Under Settings > Grep - Match, we can enter the strings we want to search for. In this case, we are looking for the error message - Invalid username or password..
Username as does not show the expected error message. It could be the username that we are looking for.
