Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Username Enumeration
See original GitHub issueThe Developer portal forgot password functionality that allowed an attacker to determine if a given username was valid. Specifically, when accessing the signup and reset password pages, the application’s response differed depending on if a valid or unknown username was provided.
usecase 1:
When correct username was provided , got a successful response and asked to follow the instructions
usecase 2:
When incorrect username was provided , no message was displayed , only page was refreeshed. end user do not have an idea where input in invalid or any other error.
Affected Scope :
https://prodprhtzinterop.developer.healthtranzformdev.com/reset-password
Impact :
An attacker can generate a list of probable usernames and easily determine which are valid. The valid usernames can then be used in subsequent attacks, such as password brute force.
Recommendations :
Update the APIM dev portal forgotpassword function to display generic error messages for both valid and invalid usernames.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:10 (4 by maintainers)
Top Results From Across the Web
User Enumeration Explained: Techniques and Prevention Tips
User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system.
Read more >Username Enumeration | CodePath Cliffnotes
Username enumeration is the process of developing a list of all valid usernames on a server or web application. It becomes possible if...
Read more >Avoiding User Enumeration - Hacksplaining
Allowing enumeration of usernames is not a vulnerability in itself, but in tandem with other types of vulnerabilities – like the ability to...
Read more >Testing for Account Enumeration and Guessable User Account
Review processes that pertain to user identification (e.g. registration, login, etc.). Enumerate users where possible through response analysis.
Read more >Username enumeration - Kentico
If the system is vulnerable to the username enumeration attack, the attacker may be able to obtain a list of existing usernames.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Pen testers often report this but the fix isn’t as simple as making the message more generic. Attackers can use response times or backend HTTP codes to determine if a user exists or not.
Solving these still don’t actually solve the root issue if your application has any form of signup form. Instead they make your application less user friendly, but an attacker can easily test if an account exists by using your signup form - any error on email address is likely to indicate that the account exists, regardless of the message.
The correct solution would be to use anti-automation techniques such as Captcha and WAF.
Both of these are implemented in API Management already and would merit only an “info” level mention on a application security test. Only if a tester can demonstrate that the implemented mitigations are ineffective at preventing effective enumeration would it be of concern.
Looks like we’ve come to an agreement. Hence, closing it.