Testing for account enumeration and guessable accounts
By interacting with an authentication mechanism and studying responses, a tester may be able to collect a set of valid usernames. Once valid accounts have been identified, testers can attempt to brute-force passwords. This recipe explains how Burp Suite Repeater can be used to collect a list of valid usernames via the username enumeration attack.
Getting ready
Using the OWASP GetBoo application and Burp, we will perform a username enumeration attack against the target.
How to do it...
Ensure Burp Suite and the OWASP BWA VM are running, and that Burp Suite is configured in your Firefox browser so that you can view the OWASP BWA applications:
- From the OWASP BWA landing page, click the link to the GetBoo application:
Figure 4.1 – OWASP BWA landing page
- Click the Log In button and, at the login screen, attempt to log in with an account username of
demoand a password...
