[This lab](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-account-lock) demonstrates how account lock mechanisms — intended to prevent brute-force attacks — can inadvertently leak valid usernames through inconsistent error messages. We exploit this flaw to enumerate a user, then brute-force their password, ultimately accessing the account. ## Step-by-Step Exploit ### 1. Username Enumeration via Lock Message * Sent multiple login requests using Burp Intruder (`Cluster Bomb`) ![[CleanShot 2025-07-13 at [email protected]]] * Repeated each username 5 times with a dummy (null) password ![[CleanShot 2025-07-13 at [email protected]]] * Observed one username responded with: ``` You have made too many incorrect login attempts. ``` This indicates the username is **valid**. ![[CleanShot 2025-07-13 at [email protected]]] ### 2. Brute-forcing Password * Switched to Intruder `Sniper` mode * Fixed the identified username * Injected password payloads * Monitored response differences — found one without an error message ![[CleanShot 2025-07-13 at [email protected]]] ### 3. Final Step * Waited for account lock to reset * Logged in successfully with the identified credentials