Username Enumeration
Username Enumeration
Overview of the Vulnerability
Username enumeration is a vulnerability where an attacker is able to confirm or guess correct usernames through a difference in the server’s response to input. It often occurs on login, registration, and password reset pages. This application has a username enumeration vulnerability which allows an attacker to brute force passwords, stuff credentials, or for further attacks such as social engineering.
Business Impact
Username enumeration can result in reputational damage for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker is able to chain this vulnerability with another it can lead to user account compromise and data exfiltration.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Attempt to authenticate
Observe the response from the server indicating that the username/email is valid or not
Proof of Concept (PoC)
The screenshot below shows the response from the server:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. Attaching a screenshot of your Intruder showing the full HTTP Request and Response for a valid and invalid account will work for this submission.
Attempt to escalate the username enumeration to perform additional actions (such as performing additional enumeration which may not initially be present exposing additional PII). If this is possible, provide a full Proof of Concept (PoC) here.
Recommendation(s)
The server should respond to valid and invalid authentication attempts with the same message. For example, Login failed. Username or Password invalid.
The server should also take the same amount of time to respond to a valid or invalid request so that an attacker can not use this to distinguish between the two.
Last updated