Today, I will talk about the vulnerability usernames enumeration.
Table of contents:
User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication.
In the context, I was exploiting a vulnerable VM, Seattle VM from vulnhub. It contains several web vulnerabilities.
An authentication page is available at http://192.168.0.4/account.php :
When testing a random username along the a password:
The webserver response is:
A vulnerability appears showing to the attacker that a username enumeration is possible by bruteforce. But what is the email domain ? The response is given in the terms page :
I know that the domain of the email for authentication is seattlesounds.net, let’s bruteforce.
I will test username using the rockyou dictionnary. But I have to analyze the request sent to the webserver using a proxy. The authentication is like above:
Using burp to understand the web request:
Now that I know how the web request is built, I do a script to automatize request and retrieve usernames:
The result of my script:
The first result consists in a false positive but the second result is a real one. How does it works in background ?
The remediation is simple : don’t tell if it is the login which is wrong or the password. A general error message is the best:
“Authentication failed, be sure to have submit the good login/password”
The username enumeration consist in the first step for a identity theft. First the hacker looks for valids usernames then each one is tested along with a dictionary.
Fell free to comment 🙂