https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

Username Enumeration Vulnerabilities

Wed, 04 Apr 2007 09:34:18 GMT

We all know what username enumeration vulnerabilities are about. In this post, I will talk about them within the context of web application pentesting and will discuss some of the common issues I've come across during my experience while working at ProCheckUp.

So basically we have an application that will reveal to us when a username already exists on the system. If you do a bit of research on this type of vulnerability, you usually find the example of a login page which, when submitting wrong credentials, will specifically inform the user (and attackers) whether the entered username is already present on the system or not. This is what I like to call a username enumeration vulnerability of bruteforcable type, because we usually run a dictionary attack to exploit the responses of the application. There is another type of username enumeration vulnerability which I would like to call dumpable. In dumpable username enumeration vulnerabilities, the target application coughs up a list of existing usernames. You might wonder how this could happen. I've seen it work by accessing exposed config files (i.e. users.conf.xml). Another example that comes to my mind is portal applications which sometimes allow you to do advanced searches and obtain lists of usernames existing on the system without requiring you to be logged in. In this post, we will focus on bruteforcable username enumeration vulns.

Although nothing stops you from blindly trying common set of credentials such as admin/admin, admin/password, test/test and so on, enumerating usernames does definitely increase the chance of an account being cracked. Think of username enumeration as the first stage in the process of cracking a set of credentials. The problem is that not all web applications are vulnerable to this type of flaw. However, there are ways we can push the limits.

Let's say that you access https://acme-site.com/logon.aspx, and you try to authenticate with the credentials madeupusername/password. The application, if vulnerable, will respond with a message similar to the following one:

Authentication failure: entered username does not exist.

However, if we enter an existing username, the application will then give a different message such as:

Authentication failure: incorrect password entered.

Username enumeration vulnerabilities can be found in several other ways besides probing changes of responses in login authentication errors. I've seen four different ways to find bruteforcable username enumeration issues:

  • analyzing changes in error messages on login facilities (as discussed above)
  • analyzing changes in error messages on password recovery facilities
  • analyzing changes in error messages on account signup facilities
  • probing existing URIs

Each of these types have pros and cons. If I could choose out of all of them I would definitely pick the last two (I'll explain why later).

Login facilities (login pages) are the most popular way to find username enumeration on web apps. However, for this very reason , its popularity, security-aware developers might have already considered the issues related to having a login error reveal existing usernames. In other words, you're less likely to enumerate usernames through a login page. Please note that I'm not saying it's rare to find username enumeration vulns on login pages, but rather that they are simply less likely to be found than other types.

The second problem with enumerating usernames through a login failure is that you are at risk of locking out accounts if a lockout account policy is enabled. Although only one authentication error should not lock out an account, you're playing with fire. Say that you're writing a script to enumerate usernames using a dictionary attack. While tweaking the script you may probe some usernames more than once, therefore taking the risk of locking out the target accounts.

For the second method, analyzing changes in error messages password recovery facilities, again, as an attacker/pentester you're exploiting differences in the application response. Typically we find a Forgot password feature that allows you to receive an email with a new password (or a link that allows you to set a new password). All the user usually needs to do is enter his username or email address.  Now, sometimes the email address is used as the username to log into the application. In fact, this is the case on most e-cart sites. Designing the application to use the user's email address as the username is common because it's less likely for someone to forget his email address than a login name.

Remember: there many web applications that allow users to set their username to something different to their email address. Thus, making automated username enumeration more feasible.

A password recovery facility that is vulnerable to username enumeration (most of them out there are) might return an error message like the following when entering an email address that does not exist:

Sorry, the email address entered does not exist.

On the other hand, entering a valid email address would look like similar to this:

A new password has been sent to your email address.

In short, this method for enumerating usernames is good as a last resort, because most web applications allow usernames to be enumerated through the password recovery facility. However, from the stealth point of view, this is the worst way to enumerate usernames. Think about it, if you do successfully enumerate a valid username, the target account's owner will get an email with a new password. This is pretty noisy, since you're telling the victim user: "Hey, I'm probing your account!". Even worse, sometimes these reset password emails will include your browser's User-agent header value plus the source IP address that was used to request a new password! Not that I am saying that it is not possible to hide your POP.

Let's now talk about the third method for enumerating usernames: analyzing changes in error messages on account signup facilities. This method is great for three reasons:

  • it always works! (provided that an account signup facility exists)
  • the victim user won't know his/her account is being probed (no emails sent to the victim user for instance)
  • account lockout policies won't disable the target account no matter how many times we probe a given username

Again, this is the same old story. We send a request, in this case typically through a form to register a new account. If the account signup facility is vulnerable to username enumeration, we will get an error message similar to the following when entering an existing username (login name/email address):

Sorry, there is already an account registered with the same email address.

Otherwise, if the entered username does not exist, the account signup process will proceed to the next step (if any), or simply finish successfully.

I recently came across an interesting example while performing a PCI DSS test at work. In this case, we were testing an online retailer, and performed a proof-of-concept username enumeration attack against the account signup facility. The result was quite successful since we enumerated more than 600 usernames. Eventually we cracked about 40 accounts by simply bruteforcing a few common passwords against each of the usernames we had enumerated previously. This case was particularly interesting because the site allowed users to change their login name from their email address to any value of their choice. Since many users chose dictionary words, digits, three-letter long and other predictable strings as their usernames, the results were more effective than expected.

If you are a developer you might be wondering how you can protect your site against this kind of attack. Well, although it's virtually impossible to make an account signup facility immune to username enumeration, it is however possible to avoid automated username enumeration attacks against it by implementing a CAPTCHA mechanism.

Finally, the last method to enumerate usernames is probing existing URIs. I haven't seen this work on high-profile web applications, but it should be mentioned nevertheless. Let's say that the there is a portal hosted on https://acme-site.com/ that is used by employees of acme. In this portal, a different directory is assigned to each user's home page. For instance, for the username victimuser there will be a directory called /webhome/victimuser/.

If the web server responds differently when requesting existing directories, then we can enumerate usernames. For instance, it is very common to see web servers return 403 Forbidden error codes when trying to access a directory that exists, but the user is not allowed to access. Otherwise the server would usually return a 404 Not Found error code.

Think of del.icio.us for instance. Every user is allocated an URI equals to his/her username. For instance, if your username is hacker, then the URL http://del.icio.us/hacker/ will exist. On the other hand, if the username probed does not exist (i.e.: http://del.icio.us/madeupusername/), the server might respond with a 404 Not Found error code. Of course, because of the nature of del.icio.us, this is not a big deal. After all, the site only provides a public bookmarking service, so no sensitive data is at risk.

As a final note, let me say something about webapps that use email addresses as login names/usernames. In this cases you might think that it's pretty pointless to find a username (email) enumeration vulnerability. After all, how likely is it that you will find a valid email address since, not only you need to guess the username (i.e.: targetuser), but also the domain name (i.e.: targetuser@acme-shopping.com). Well, the truth is that some sites do actually have test accounts and sometimes even administrative accounts that authenticate through the same login page as regular users. In these cases I always try common usernames with a domain equals to the site that I'm pentesting. In other words, if you are testing a site called www.acme-shopping.com, you should try to enumerate usernames such as test@acme-shopping.com, support@acme-shopping.com, admin@acme-shopping.com, acmeadmin@acme-shopping.com and so on.

You should also search on public websites, maillists and groups for email addresses that use the target domain. An email harvesting tool might come handy in this case. Even if you know that regular users login using email addresses as usernames, you should also try common usernames without appending @acme-shopping.com, as you never know what could work.

I hope you found this post useful. I might do a second part that deals with exploiting username enumeration vulnerabilities as opposed to probing/identifying them.

Security Test Cases的更多相关文章

  1. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  2. Summary of 2016 International Trusted Computing and Cloud Security Summit

    1)      Welcome Remarks 2)      The advancement of Cloud Computing and Tursted Computing national st ...

  3. Code Review Engine Learning

    相关学习资料 https://www.owasp.org/index.php/Code_review https://www.owasp.org/images/8/8e/OWASP_Code_Revi ...

  4. go语言项目汇总

    Horst Rutter edited this page 7 days ago · 529 revisions Indexes and search engines These sites prov ...

  5. Golang优秀开源项目汇总, 10大流行Go语言开源项目, golang 开源项目全集(golang/go/wiki/Projects), GitHub上优秀的Go开源项目

    Golang优秀开源项目汇总(持续更新...)我把这个汇总放在github上了, 后面更新也会在github上更新. https://github.com/hackstoic/golang-open- ...

  6. Introducing KSQL: Streaming SQL for Apache Kafka

    Update: KSQL is now available as a component of the Confluent Platform. I’m really excited to announ ...

  7. Security » Authorization » 通过映射限制身份

    Limiting identity by scheme¶ 通过映射限制身份(这部分有好几个概念还不清楚,翻译的有问题) 36 of 39 people found this helpful In so ...

  8. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  9. SharePoint 2010: Nailing the error "The Security Token Service is unavailable"

    http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the ...

随机推荐

  1. shell截取字符串的方法

    参考文献: linux中shell截取字符串方法总结 [Linux]如何在Shell脚本中计算字符串长度? 截取字符串的方法一共有八种,主要为以下方法 shell中截取字符串的方法有很多中, ${ex ...

  2. 获取登陆ip

    想获取用户的ip, 在vendor\yiisoft\yii2\web\User.php的login中看到 $ip = Yii::$app->getRequest()->getUserIP( ...

  3. iOS黑客技术相关

    在黑客的世界里,没有坚不可破的防护系统,也没有无往不胜.所向披靡的入侵利器,有时候看似简单的问题,破解起来也许花上好几天.好几个月,有时候看似很 low 的工具往往能解决大问题:我们以实现微信自动抢红 ...

  4. Ubuntu下C/C++man手册安装方法及使用方法

    C++在线文档: http://www.cplusplus.com/reference/ https://msdn.microsoft.com/zh-cn/library/aa187916.aspx  ...

  5. HA模式强制手动切换:IPC's epoch [X] is less than the last promised epoch [X+1]

    -- ::, WARN org.apache.hadoop.hdfs.qjournal.client.QuorumJournalManager: Remote journal failed to wr ...

  6. NOIP2014

    DAY1 生活大爆炸版石头剪刀布 直接模拟即可. // codevs3716 #include<algorithm> #include<iostream> #include&l ...

  7. Webpack打包工具实时更新操作(启用观察者模式)

    可能存在这样的问题,每次修改完js/css文件之后,都要进行手动打包一下,浏览器上刷新一下. 那么我一般这样做: 1.安装Hbuilder,并启用边编辑边看的模式(其实这个是默认的). 2.启动Web ...

  8. XCode显示iOS Simulators时不显示系统版本号并出现Identifier(UUID)

    如果出现如下的显示问题,说明你添加了多个相同系统版本的iOS Simulators: 打开Windows->Devices,查看已经出现了相同版本的模拟器: 那么我们删除一些相同的模拟器,即可解 ...

  9. html代码规范

    HTML代码规范   我们知道,前端工程师入门容易,通过学习基本的HTML和CSS就能在浏览器上看到实际的效果,可是要写好的HTML,就不是那么容易了.这里将和大家分享HTML规范,希望大家读完之后都 ...

  10. JS-Array数组对象

    <!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>A ...