Username enumeration is the process of developing a list of all valid usernames on a server or web application. It becomes possible if the server or application provides a clue as to whether or not the username exists. Usually it occurs when a user-related form or URL returns different results when a user exists than when no user exists. However, username enumeration also includes cases when the server can be made to reveal a list of usernames, such as through SQL Injection.
Most often the goal of Username Enumeration is to gain access to a system. Since most sites use password authentication, knowing the username is half of the requirement for logging in. Once a set of valid usernames have been identified, attackers can use techniques such as Brute Force and Dictionary Attacks to guess the passwords. Many of the passwords will be strong enough to resist these attacks, but with a long list of usernames, many of them will certainly use weak passwords and be vulnerable.
Sometimes, it is not necessary to gain access, just knowing if an account exists can be a problem. Adult Friend Finder and Ashley Madison, sites for people looking for sexual encounters or extramarital affairs, promise their users a high-level of privacy. But both sites had password reset pages which indicated whether an email address was in use. It was possible for spouses, friends, and coworkers to know if someone had an account, just by knowing their email address.
"Username not found." = username is not valid
Enter a second username and password
"Password incorrect." = username is valid
"Site error." = username is not valid
"Not enough permission to access." = username is valid
Indicates "guest_11" is valid
Indicates "johnsmith" is valid
A "dumpable" username enumeration is when the server, database, or web application can be manipulated to reveal a full or partial list of usernames. This attack can be more difficult to achieve, but it is much faster than preforming user enumeration one name at a time. Most often, a "dumpable" username enumeration is the result of SQL Injection Attack.
Developers need to take precautions with any public-facing page which uses username, email, or any other user identifier for any purpose.
If the page accepts a user identifier as input, then the output must not indicate if the user exists or not. This output includes not only the message returned to the user, but changes to the page contents (HTML, CSS, images, form structure or values), URL, or even cookie data.
Most often the pages which require special attention are:
It is a good idea to write software tests which can make two requests—for a valid user and an invalid user—to any of these pages and compare the results to ensure they are identical.
Do not use sequential numbers for usernames, instead use randomly generated data which cannot be enumated (e.g., "guest_5TC412B70").