> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/trick-0619.md).

# Username Enumeration via Login Error

***

Web applications may reveal valid usernames by presenting distinct error messages or response properties (like length or specific content) when a correct username but incorrect password is submitted, compared to submitting an entirely invalid username. Differences in response can manifest in various ways, including different HTTP status codes, variations in the size of the response body, or subtly different content within the response, such as specific error messages like "Invalid username" versus "Incorrect password". In some cases, the timing of the response can also differ, with valid usernames sometimes resulting in slightly faster or slower responses due to different server-side processing. Another indicator can be the application's behavior regarding account lockouts; if a username is valid, repeated failed login attempts may lead to that specific account being locked, which can be observed through different response messages or behavior compared to attempts with invalid usernames.

To exploit this, use a username wordlist (e.g., from Seclists). SecLists is a collection of wordlists and attack patterns, with a dedicated directory specifically for usernames. Iterate through the wordlist, attempting to log in with each username and a constant, incorrect password. Carefully observe the application's response for each attempt. Look for anomalies such as differences in HTTP status codes, response body content, or, as noted, potentially shorter response string lengths indicating a valid username versus an invalid one or a lockout message.

Tools like Burp Suite's Intruder are ideal for automating this process, allowing you to load a wordlist, configure the payload position (username field), and easily analyze the response lengths or content for each attempt. To perform username enumeration using Burp Intruder, you can configure a Sniper attack type. This involves defining a single payload position corresponding to the username parameter in the login request. The list of potential usernames is then loaded as the payload for this position. After launching the attack, configure Intruder to detect variations in the responses by adding columns for response length and HTTP status code in the results table. Sorting the results table using the response length or status code column can help group together responses that might indicate valid usernames. Analyzing these differences allows identification of valid usernames based on the distinct responses they elicit compared to invalid ones.
