[Owasp-testing] Testing for user enumeration
pavol.luptak at nethemba.com
Mon Jul 21 18:58:19 EDT 2008
I've just noticed a new section "Testing for user enumeration" in Testing
Guide v3. http://www.owasp.org/index.php/Testing_for_user_enumeration
My practical experiences - many applications return the same response when
both combinations "valid username/wrong password" and
"wrong username/wrong password" are sent (so they are not vulnerable),
but they are still vulnerable to the following "user enumeration" attacks:
- timing attacks (noticeable time difference in case of
"valid username/wrong password" and "wrong username/wrong password")
- different behaviour in "Password reset" form e.g. a user enters
"valid username" -> "Your new password has been sent to your email ... "
"wrong username" -> "Invalid user"
Only a few web applications are invulnerable to this enumeration attack and
display to the user this diplomatic response:
"If your username exists, your new password has been sent to your email... "
It would be great to mention these examples of the attack in this section.
More information about the Owasp-testing