If you are not already familiar with the concept of Account Enumeration, please see the article entitled “What Is Account Enumeration ?“.
Testing For Account Enumeration
Testing for account Enumeration is trivial in a white-box testing scenario. Simply observe the responses from the following two tests:
- Providing a legitimate account identifier and an invalid password
- Providing a non-existent account identifier and any password
If the response is the same then it represents an Account Enumeration vulnerability.
In a black-box testing scenario, you must attempt to authenticate with many candidate account identifiers (with a common weak password) until you find one that returns a different response, or you exhaust your list. That is, you iterate over candidate account identifiers using the same weak password, attempting to find a valid account. Any attempt that returns a different response from the others should be examined to see if the system is distinguishing incorrect account identifiers from incorrect passwords. Such a result is indicative of an Account Enumeration vulnerability. If you exhaust your list of potential account identifiers without seeing different a response indicating a valid account identifier, the test is inconclusive.
For insight into how to avoid or fix Account Enumeration vulnerabilities, please see the article entitled “How To Prevent Account Enumeration“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.