[This lab](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-account-lock) demonstrates how account lock mechanisms — intended to prevent brute-force attacks — can inadvertently leak valid usernames through inconsistent error messages. We exploit this flaw to enumerate a user, then brute-force their password, ultimately accessing the account.
## Step-by-Step Exploit
### 1. Username Enumeration via Lock Message
* Sent multiple login requests using Burp Intruder (`Cluster Bomb`)
![[CleanShot 2025-07-13 at
[email protected]]]
* Repeated each username 5 times with a dummy (null) password
![[CleanShot 2025-07-13 at
[email protected]]]
* Observed one username responded with:
```
You have made too many incorrect login attempts.
```
This indicates the username is **valid**.
![[CleanShot 2025-07-13 at
[email protected]]]
### 2. Brute-forcing Password
* Switched to Intruder `Sniper` mode
* Fixed the identified username
* Injected password payloads
* Monitored response differences — found one without an error message
![[CleanShot 2025-07-13 at
[email protected]]]
### 3. Final Step
* Waited for account lock to reset
* Logged in successfully with the identified credentials