Username Enumeration Vulnerabilities

So basically we have an application that will reveal to us when a username already exists on the system. If you do a bit of research on this type of vulnerability, you usually find the example of a login page which, when submitting wrong credentials, will specifically inform the user (and attackers) whether the entered username is already present on the system or not. This is what I like to call a username enumeration vulnerability of bruteforcable type, because we usually run a dictionary attack to exploit the responses of the application.

There is another type of username enumeration vulnerability which I would like to call dumpable. In dumpable username enumeration vulnerabilities, the target application coughs up a list of existing usernames. You might wonder how this could happen. I’ve seen it work by accessing exposed config files (i.e. users.conf.xml). Another example that comes to my mind is portal applications which sometimes allow you to do advanced searches and obtain lists of usernames existing on the system without requiring you to be logged in. In this post, we will focus on bruteforcable username enumeration vulns.

Although nothing stops you from blindly trying common set of credentials such as admin/admin, admin/password, test/test and so on, enumerating usernames does definitely increase the chance of an account being cracked. Think of username enumeration as the first stage in the process of cracking a set of credentials. The problem is that not all web applications are vulnerable to this type of flaw. However, there are ways we can push the limits.