Is it possible to enumerate user account details within the Web application via the logon page?
Where an application requires account details to retrieve other information, it may be possible to enumerate the details based on the error message returned by the application.
In this case it was also possible to determine the state of the user account
Messages which allow an attacker to enumerate account details should be removed. A generic error message which does not disclose information about account information should be used.
OWASP Testing for user enumeration
- Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it.
- Enumeration means to identify the user account, system account and admin account. Enumerating windows active directory to find out these stuffs.
- Discovering NetBIOS name enumeration with NBTscan.
- Establishing null sessions and connections. Null sessions tools like Dumpsec, Winfo and Sid2User or more, may used to perform this attack.
The login failure messages can give away too much information and it would be possible to enumerate user details via the log-on page. It reports on whether an account exists/not and if an account is locked out or not etc.
There should ideally be just one generic message that’s of no use to a potential hacker.
You’ll need to log somewhere in your application the actual reasons why the user could not login, this could be that the account is locked, suspened, deleted etc.
By logging this information a system adminstrator or the like can see why a user could not get access to the application through the login page.