Portswigger: Username enumeration via subtly different responses Writeup
When we try to login with test:test on the login page, we see the message “Invalid username or password.” in the response to the request. We can see if this message will appear for all usernames in the responses to the requests. We send the request to the intruder. We choose sniper attack type. In …