User Enumeration


LizardSquad, the “hacker” group that recently DDoSed Microsoft’s and Playstation’s gaming networks, released a DDoS tool/service that can be found on

LizardStresser is simply another booter, a tool that anyone (mostly script-kiddies) can pay to DDoS a target. Like every other booter, LizardStresser is accessible through a webpage ( where users can signup and pay for booter access.

Lizard Stresser purchase page

Not surprisingly, LizardStresser is extremely poorly written, which led to me to find a user enumeration vulnerability in a few minutes.

Dumping Usernames and UIDs

Through’s ticket system, users can request customer support from admins.

After a ticket is created, a user can send messages through the ticket.

Ticket message thread

When the “Send” button is pressed, an XHR request is sent to “” with the parameters “content”, “tid”, and “uid”. The content refers to the message, tid is the ticket id, and uid is (you guessed it) the sender’s user id.

So what happens when we resend the request with a different UID?

Changing the UID

With an easy Python script, we can now fully enumerate all users:

And we get something like:

User enumeration preview

For a list of UID’s and usernames, visit the following link:


Not surprisingly, I don’t recommend ever paying for LizardStresser (or any booter service). While user enumeration isn’t as interesting as a full database dump, I wouldn’t be surprised if anyone manages to find more vulnerabilities, especially since their platform is so poorly written.

Bonus Bugs

Bypassing Registration Limits
It seems that the front-end only lets you register one account per IP. This can easily be bypassed by manually setting an X-Forwarded-For header.

.htaccess Visible’s htaccess file is publicly viewable. Doesn’t contain anything interesting though. Source

TitaniumStresser Clone
It seems that LizardStresser is a clone of TitaniumStressor. Aside from the same graphics, LizardStresser’s robots.txt contains: “sitemap:”

Leave a Reply

6 Comment threads
2 Thread replies
Most reacted comment
Hottest comment thread
8 Comment authors

TitaniumStresser is the same owner as LizardStresser.

Stephen Archer

This is the leader of Lizard squad if anyone bothers reading it !!!

Victor Monserrate from Zaragoza, Aragon, Spain AKA Antichrist – leader of lizard squad

See sound cloud account for photo !!!


Part of lizzus login names



cool article btw


Is this anyway to execute finding the passwords for this website and decrypting the Hashs other then md5 if so how?

Miguel Ripoll

Just curious, why that range specifically?

Johnny Chang

Those are the UIDs. Test to find the earliest available UID then go and register an account and see what UID it gives you. Since they are sequential you just UID=UID+1 to iterate through them until you reach your newly registered ID.

P5Y Naut

If you read Brian’s article at:, he mentions the user antichrist. Antichrist’s un and pwd appear in that range. I’m guessing BK had a hunch, somehow, in regards to what antichrist’s un would be, and threw up a range that we see in the modification of the XFF script