User Enumeration
A way for an attacker to see which usernames / email addresses are in use or are registered within the application.
Different Types of Enumeration
- Response Differences
In this instance, messages tend to differ from a registered user to a non-registered user. e.g
This user does not exist|Credentials for user: Admin, is incorrect - Time-Based Differences
Depending on how the back-end is configured, this tend to vary. For example; A non-registered user tend to stay between
100ms - 150msif dummy credentials are provided. Meanwhile a registered user with dummy password given, will come back as500ms - 800mswhich is a clear indicator that the user does exist. It happens when the database checks the user given before the password used to sign in. Remember to check the Time-Based Enumeration Graph to get a sexy chart and a nice overview!
Where do user enumeration occur?
- Login Forms
- Register Forms
- Change username/email Forms