So you wish to enumerate user accounts within web applications. OK, move forward, follow the steps below and who knows if you can strike the gold ;-)
Finding existing user accounts on a vulnerable web application is a trivial task. You just need some helpful error messages that reveal useful information about users. There are a number of way to enumerate valid user accounts on a vulnerable web site.
Exploiting User Registration Functionality
If you wish to register on a web site as a new user, you need to enter your details on the user registration page including a unique username. This username is used by the web site to identify you for future interactions. If you select a username that already exists, the web application will generate an error message like this: "This username already exists, please choose another".
The main benefit of using this technique for user enumeration is that this is non-intrusive i.e. this would not alert a system administrator or the end user of the web site because you may be the genuine user who wish to register to the web site. Since the web site requires you to have a unique username, it needs to inform you if you choose a username that already exists. As no data is sent to the end users or you are not altering the state of the user account, the users also wouldn't know that this attack has taken place.
Exploiting User Authentication
If you wish to use a web site's privileged functionality, you need to authenticate yourself to the web site. This is normally done by entering a username and a password on the authentication page. Sometimes developers may be over helpful in an effort to provide useful error messages to end users. But these error messages may be more useful to an attacker than to a normal user. The following error messages may help an attacker to enumerate valid user accounts on a target web site:
If a user enters a username that does not exist on the web site, an error message like this may be returned "This username does not exist, please try again by entering a correct username". But if the username exists and the password is wrong, an error message like this may be returned "Incorrect password". This error message indicates that the username exists but the password entered does not match with the one stored in the database for this user.
Exploiting Password Reminder Functionality
Another method of enumerating valid user accounts is the password reminder functionality. If a user forgets the password, the web site provides a functionality to enter the username or the email id where the password would be sent. Even worse, sometimes the web application will generate a new password and send it to the user's email id.
Now if you enter a username that does not exist, an error message "This username does not exist" would be generated, otherwise a message something like this "The password has been sent to the registered email id" would be generated, revealing that the username exists on the target web site. This is not considered a very good method for user enumeration as this will alert the end users that some malicious activity has happened to their account.
Enumerating User Accounts through Directory Enumeration
Some web applications would allocate a separate directory to the registered users where the name of the directory is same as the username. When a user accesses the web site, this directory is simply appended to the URI. This may look something like this:
www.example.com/username
You can append different usernames at the end of the URI in an effort to find valid user names. This is possible because different error messages can be returned for existing and non-existing directories. Also an error message may be returned for a non-existing directory while some valid information may be returned for the existing directory if no authentication is required to access the contents of that directory.
Once a valid user account is found, the next step would be to brute force the account in an effort to gain unauthorized access to the target web site. Mission Accomplished!
I have divided this post in two parts. This part describes how an attacker can enumerate users on a vulnerable web site. Part 2 will explain what measures web application developers can take to avoid user enumeration on their web sites.
Finding existing user accounts on a vulnerable web application is a trivial task. You just need some helpful error messages that reveal useful information about users. There are a number of way to enumerate valid user accounts on a vulnerable web site.
Exploiting User Registration Functionality
If you wish to register on a web site as a new user, you need to enter your details on the user registration page including a unique username. This username is used by the web site to identify you for future interactions. If you select a username that already exists, the web application will generate an error message like this: "This username already exists, please choose another".
The main benefit of using this technique for user enumeration is that this is non-intrusive i.e. this would not alert a system administrator or the end user of the web site because you may be the genuine user who wish to register to the web site. Since the web site requires you to have a unique username, it needs to inform you if you choose a username that already exists. As no data is sent to the end users or you are not altering the state of the user account, the users also wouldn't know that this attack has taken place.
Exploiting User Authentication
If you wish to use a web site's privileged functionality, you need to authenticate yourself to the web site. This is normally done by entering a username and a password on the authentication page. Sometimes developers may be over helpful in an effort to provide useful error messages to end users. But these error messages may be more useful to an attacker than to a normal user. The following error messages may help an attacker to enumerate valid user accounts on a target web site:
If a user enters a username that does not exist on the web site, an error message like this may be returned "This username does not exist, please try again by entering a correct username". But if the username exists and the password is wrong, an error message like this may be returned "Incorrect password". This error message indicates that the username exists but the password entered does not match with the one stored in the database for this user.
Exploiting Password Reminder Functionality
Another method of enumerating valid user accounts is the password reminder functionality. If a user forgets the password, the web site provides a functionality to enter the username or the email id where the password would be sent. Even worse, sometimes the web application will generate a new password and send it to the user's email id.
Now if you enter a username that does not exist, an error message "This username does not exist" would be generated, otherwise a message something like this "The password has been sent to the registered email id" would be generated, revealing that the username exists on the target web site. This is not considered a very good method for user enumeration as this will alert the end users that some malicious activity has happened to their account.
Enumerating User Accounts through Directory Enumeration
Some web applications would allocate a separate directory to the registered users where the name of the directory is same as the username. When a user accesses the web site, this directory is simply appended to the URI. This may look something like this:
www.example.com/username
You can append different usernames at the end of the URI in an effort to find valid user names. This is possible because different error messages can be returned for existing and non-existing directories. Also an error message may be returned for a non-existing directory while some valid information may be returned for the existing directory if no authentication is required to access the contents of that directory.
Once a valid user account is found, the next step would be to brute force the account in an effort to gain unauthorized access to the target web site. Mission Accomplished!
I have divided this post in two parts. This part describes how an attacker can enumerate users on a vulnerable web site. Part 2 will explain what measures web application developers can take to avoid user enumeration on their web sites.
Posts
5 comments:
An excellent explanation Vishal. I look forward to reading how developers can mitigate these problems.
BTW blogger.com reports "incorrect password" for both a legitimate user and a false username - demonstrating they may know what they're doing!
Thanks Mr. Wood for being the first commentator on my blog.
I can understand your point. It would hardly matter what error message has been returned as long as the behaviour of the application remains the same no matter the username is wrong or the password is wrong. But if the application behaves differently for a wrong username to a wrong password, that would provide enough ground to an attacker to enumerate valid user accounts on that web application.
Exactly what I meant, thanks. However, after further experimentation, it looks like blogger.com *does* differentiate between unknown users and wrong passwords. No so good!
What are your thoughts on the usability of this approach? Online applications are not just for preference, but to ease volume on higher cost customer channels and keep product cost down. With people maintaining so many id's and passwords, if you don't specify which is at issue, don't you think you will greatly increase call to the call center to address the forgotten id or password? Any recommendations to balance this?
Hi Francisco, you may have a valid point in saying so, but then we have to maintain a balance between security and usability. To prevent high call volumes to call centers, it may be a good idea to automate the username/password reminder process and to send the user ID or the password to the registered email address after successful user verification.
Post a Comment