Avoiding User Enumeration

If an attacker can probe your site to test whether a username exists, it gives them a leg up in trying to hack your users’ accounts.

Risks

Prevalence Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Easy
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Worrying
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

Allowing enumeration of usernames is not a vulnerability in itself, but in tandem with other types of vulnerabilities – like the ability to brute-force login – it will compromise the security of your users.

Protection

As shown in our exercise, avoiding user enumeration is a matter of making sure no pages or APIs can be used to differentiate between a valid and invalid username, unless the matching password is supplied. To recap:

Login
  • Make sure to return a generic “No such username or password” message when a login failure occurs.
  • Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.
Password Reset
  • Make sure your “forgotten password” page does not reveal usernames.
  • If your password reset process involves sending an email, have the user enter their email address. Then send an email with a password reset link if the account exists.
Registration
  • Avoid having your site tell people that a supplied username is already taken.
  • If your usernames are email addresses, send a password reset email if a user tries to sign-up with an existing address.
  • If usernames are not email addresses, protect your sign-up page with a CAPTCHA.
Profile Pages
  • If your users have profile pages, make sure they are only visible to other users who are already logged in.
  • If you hide a profile page, ensure a hidden profile is indistinguishable from a non-existent profile.

Is your website vulnerable to user enumeration?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for User Enumeration and other vulnerabilities with the