While mapping a target web application, you notice the login endpoint consistently returns the generic message "Invalid credentials". However, Burp Suite repeater shows an average 300 ms extra processing time whenever the supplied username actually exists in the database. Which approach should you automate to most effectively enumerate valid accounts without triggering account lockout policies?
Perform credential stuffing with leaked email/password pairs against the endpoint
Inject NULL bytes into the username field to bypass the password verification code
Launch a password-spraying campaign using one common password for every user
Measure server response delays to conduct a timing-based username enumeration attack
The extra latency for valid usernames indicates the server performs additional work-such as password hashing-only when the account exists. By scripting repeated login attempts and measuring response times, an attacker can distinguish existing usernames from nonexistent ones without guessing passwords, evading lockout thresholds. Password spraying and credential stuffing rely on knowing usernames first, while NULL-byte poisoning or HTTP verb tricks do not exploit timing discrepancies.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a timing-based username enumeration attack?
Open an interactive chat with Bash
How does Burp Suite help in timing-based attacks?
Open an interactive chat with Bash
Why is measuring response times more effective than other approaches in this scenario?
Open an interactive chat with Bash
What is a timing-based username enumeration attack?
Open an interactive chat with Bash
How does Burp Suite's repeater assist with timing-based attacks?
Open an interactive chat with Bash
Why does invalid credential handling cause timing delays in web applications?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .