Ensure Burp and the OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.
- From the OWASP BWA Landing page, click the link to the GetBoo application:
- Click the Log In button, and at the login screen, attempt to log in with an account username of admin and a password of aaaaa:
- Note the message returned is The password is invalid. From this information, we know admin is a valid account. Let's use Burp Intruder to find more accounts.
- In Burp's Proxy | HTTP history tab, find the failed login attempt message. View the Response | Raw tab to find the same overly verbose error message, The password is invalid:
- Flip back to the Request | Raw tab and right-click to send this request to Intruder:
- Go to Burp's Intruder tab and leave the Intruder | Target tab settings as it is. Continue to the Intruder | Positions tab. Notice how Burp places payload markers around each parameter value found. However, we only need a payload marker around the password value. Click the Clear § button to remove the payload markers placed by Burp:
- Then, highlight the name value of admin with your cursor and click the Add § button:
- Continue to the Intruder | Payloads tab. Many testers use word lists to enumerate commonly used usernames within the payload marker placeholder. For this recipe, we will type in some common usernames, to create a custom payload list.
- In the Payload Options [Simple list] section, type the string user and click the Add button:
- Add a few more strings such as john, tom, demo, and, finally, admin to the payload-listing box:
- Go to the Intruder | Options tab and scroll down to the Grep – Match section. Click the checkbox Flag result items with responses matching these expressions. Click the Clear button to remove the items currently in the list:
- Click Yes to confirm you wish to clear the list.
- Type the string The password is invalid within the textbox and click the Add button. Your Grep – Match section should look as shown in the following screenshot:
- Click the Start attack button located at the top of the Options page. A pop-up dialog box appears displaying the payloads defined, as well as the new column we added under the Grep – Match section. This pop-up window is the attack results table.
- The attack results table shows each request with the given payload resulted in a status code of 200 and that two of the payloads, john and tom, did not produce the message The password is invalid within the responses. Instead, those two payloads returned a message of The user does not exist:
- The result of this attack results table provide a username enumeration vulnerability based upon the overly verbose error message The password is invalid, which confirms the user account exists on the system:
This means we are able to confirm that accounts already exist in the system for the users user, demo, and admin.