Broken Authentication - Username Enumeration Via Response Timing

Support This Channel ====================== Please like and subscribe, it means a lot! Please buy me a coffee so I can continue to make content. https://buymeacoffee.com/zenshell My cybersec and webdev training site https://www.zenshell.ninja Join our Discord https://discord.gg/yzpm7kSpgY In this vulnerable lab we see an example of username enumeration based on http response timing. The lab also employ IP-based brute force protection which we bypass by making use of the X-Forwarded-For header. The timing vulnerability is not inherent to the server responses, but is something that we provoke making use of crafted (overly long password field) http requests.