[Owasp-testing] Testing for user enumeration

Pavol Luptak pavol.luptak at nethemba.com
Mon Jul 21 19:49:39 EDT 2008

On Tue, Jul 22, 2008 at 12:58:19AM +0200, Pavol Luptak wrote:
> Hi,
> I've just noticed a new section "Testing for user enumeration" in Testing
> Guide v3. http://www.owasp.org/index.php/Testing_for_user_enumeration
> My practical experiences - many applications return the same response when 
> both combinations "valid username/wrong password" and 
> "wrong username/wrong password" are sent (so they are not vulnerable), 
> but they are still vulnerable to the following "user enumeration" attacks:
> - timing attacks (noticeable time difference in case of 
> "valid username/wrong password" and "wrong username/wrong password")
> - different behaviour in "Password reset" form e.g. a user enters
> "valid username" -> "Your new password has been sent to your email ... "
> "wrong username" -> "Invalid user"
> Only a few web applications are invulnerable to this enumeration attack and
> display to the user this diplomatic response:
> "If your username exists, your new password has been sent to your email... "

And I forgot - some "shiny" AJAX applications are also vulnerable to user
enumeration (e.g. in new user registration forms they interactively verify 
if the given user already exists or not). Sometimes in these applications it
is possible to enumerate even phone/mobile numbers and gain complete database 
of valid phone/mobile numbers of all users (I noticed this behaviour in two
different applications).


More information about the Owasp-testing mailing list