A good login system does not disclose whether it is the username or password that is wrong when a login fails, but sometimes the information is leaked through a side-channel. One approach is to monitor the time taken for the request to be processed, if the application does additional processing when a valid username is provided, the extra time taken may be noticeable. The implementation of this login form is not the best so you should be able to see a difference between a correct username and an incorrect one.
There are four valid usernames, all of which can be found in the following two name lists - Boys Girls.
There are no correct passwords, the login will always fail, you are only trying to find usernames.
If you get stuck, or want more information, see my walkthrough.
Back to home