[Owasp-testing] Testing for user enumeration

Pavol Luptak pavol.luptak at nethemba.com
Mon Jul 21 18:58:19 EDT 2008

I've just noticed a new section "Testing for user enumeration" in Testing
Guide v3. http://www.owasp.org/index.php/Testing_for_user_enumeration

My practical experiences - many applications return the same response when 
both combinations "valid username/wrong password" and 
"wrong username/wrong password" are sent (so they are not vulnerable), 
but they are still vulnerable to the following "user enumeration" attacks:

- timing attacks (noticeable time difference in case of 
"valid username/wrong password" and "wrong username/wrong password")

- different behaviour in "Password reset" form e.g. a user enters
"valid username" -> "Your new password has been sent to your email ... "
"wrong username" -> "Invalid user"
Only a few web applications are invulnerable to this enumeration attack and
display to the user this diplomatic response:
"If your username exists, your new password has been sent to your email... "

It would be great to mention these examples of the attack in this section.


More information about the Owasp-testing mailing list