Authentication Vulnerabilities - Lab #4 Username enumeration via different responses | Long Version

In this video, we cover Lab #4 in the Authentication module of the Web Security Academy. This lab is subtly vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists: Candidate usernames: https://portswigger.net/web-security/... Candidate passwords: https://portswigger.net/web-security/... To solve the lab, we enumerate a valid username, brute-force this user's password, then access their account page. ▬ ✨ Support Me ✨ ▬▬▬▬▬▬▬▬▬▬ Buy my course: https://academy.ranakhalil.com/p/web-... ▬ 📚 Contents of this video 📚 ▬▬▬▬▬▬▬▬▬▬ 00:00​​​ - Introduction 00:13 - Web Security Academy Course (https://bit.ly/30LWAtE) 01:24 - Navigation to the exercise 01:55 - Understand the exercise and make notes about what is required to solve it 02:32 - Exploit the lab 10:10 - Summary 10:34 - Thank You ▬ 🔗 Links 🔗 ▬▬▬▬▬▬▬▬▬▬ Notes.txt document: https://github.com/rkhal101/Web-Secur... Web Security Academy Lab Exercise: https://portswigger.net/web-security/... Rana's Twitter account:   / rana__khalil  

Join Today
Authentication Vulnerabilities - Lab #5 Username enumeration via response timing | Long Version
▶︎

Authentication Vulnerabilities - Lab #5 Username enumeration via response timing | Long Version

Authentication Vulnerabilities - Lab #6 Broken brute-force protection, IP block | Long Version
▶︎

Authentication Vulnerabilities - Lab #6 Broken brute-force protection, IP block | Long Version

Why Teams Ignore Security Processes — And How to Fix It
▶︎

Why Teams Ignore Security Processes — And How to Fix It

Authentication Vulnerabilities - Lab #1 Username enumeration via different responses | Long Version
▶︎

Authentication Vulnerabilities - Lab #1 Username enumeration via different responses | Long Version

SSRF Lab 3 - Blind SSRF with out-of-band detection (2 Solution Methods)
▶︎

SSRF Lab 3 - Blind SSRF with out-of-band detection (2 Solution Methods)

Passkeys Explained: Are They Actually Better Than Passwords?
▶︎

Passkeys Explained: Are They Actually Better Than Passwords?

Passkeys SUCK (here’s why + how I use them)
▶︎

Passkeys SUCK (here’s why + how I use them)

Authentication Vulnerabilities - Lab #2 2FA simple bypass | Long Version
▶︎

Authentication Vulnerabilities - Lab #2 2FA simple bypass | Long Version

What to teach when AI writes the code | Rainer Stropek | TEDxLinz
▶︎

What to teach when AI writes the code | Rainer Stropek | TEDxLinz

SUMMER DEEP HOUSE Musics Mix 2026 ♫ Bruno Mars, Lady Gaga,Dua Lipa, Adele,Ed Sheeran, The Weeknd #29
▶︎

SUMMER DEEP HOUSE Musics Mix 2026 ♫ Bruno Mars, Lady Gaga,Dua Lipa, Adele,Ed Sheeran, The Weeknd #29

Business Logic Vulnerabilities - Lab #4 Flawed enforcement of business rule | Long Version
▶︎

Business Logic Vulnerabilities - Lab #4 Flawed enforcement of business rule | Long Version

Professor Jiang: World War 3 Is About To Begin, Let Me Explain!
▶︎

Professor Jiang: World War 3 Is About To Begin, Let Me Explain!

How to Disappear Online and Become Untraceable
▶︎

How to Disappear Online and Become Untraceable

Forget Zune. Forget Vista. Copilot Is Microsoft's Biggest Failure
▶︎

Forget Zune. Forget Vista. Copilot Is Microsoft's Biggest Failure

Business Logic Vulnerabilities - Lab #6 Inconsistent handling of exceptional input | Short Video
▶︎

Business Logic Vulnerabilities - Lab #6 Inconsistent handling of exceptional input | Short Video

Authentication Vulnerabilities - Lab #5 Username enumeration via response timing | Short Version
▶︎

Authentication Vulnerabilities - Lab #5 Username enumeration via response timing | Short Version

Broken Authentication - Password Reset Poisoning via Middleware
▶︎

Broken Authentication - Password Reset Poisoning via Middleware

How Millions of Americans Got Tricked Into Using a Bank That Isn't a Bank
▶︎

How Millions of Americans Got Tricked Into Using a Bank That Isn't a Bank