user-enumeration – WindowsTechs.com

Pentesters: Is it common for bruteforce/ dictionary attacks, e.g. for SSH username enumeration, to be successful in the real-world pentests? [closed]

Posted on June 30, 2024 by Shy

I am learning and practicing on vulnerable-by-design machines (vulnhub, metasploitable etc.). I found that this machine is running OpenSSH 7.5, and I tried a few exploits of Username enumeration from ExploitDB, which all ask for a wordlist… Continue reading Pentesters: Is it common for bruteforce/ dictionary attacks, e.g. for SSH username enumeration, to be successful in the real-world pentests? [closed]→

FFUF command returns status code 400, regardless of mode option: clusterbomb, pitchfork, sniper

Posted on January 10, 2024 by Maestro

I’m working on a lab on PortSwigger.com titled Username enumeration via different responses. While using ffuf to solve the lab, the output keeps returning a 400 status code.
So far this is what I’ve tried. Here is the request payload file,… Continue reading FFUF command returns status code 400, regardless of mode option: clusterbomb, pitchfork, sniper→

Information leakage from a API 404 response

Posted on February 8, 2023 by usr-local-ΕΨΗΕΛΩΝ

Our consulting company has received a VAPT from a consulting company on behalf of a financial customer.
The application has an HR/group management module.
Normally employees are created by an asynchronous process, but in case this fails th… Continue reading Information leakage from a API 404 response→

Is it safe for website to generate fake profile pages?

Posted on April 11, 2022 by Phaidrin

Today I found a website which generates a fake profile when asked if said profile exists. Example: www.site.com/user/mycoolname doesn’t exist yet. But if I put it in the browser for the site I get a fake profile of mycoolname with no pictu… Continue reading Is it safe for website to generate fake profile pages?→

Is exposing email delivery failure to a user a security risk?

Posted on September 12, 2021 by Elder

Case 1: When user creates an account, a confirmation email is sent.
Case 2: When user invites a coworker to his/her account, an invitation email is sent.

Problem: If a user makes a typo in the email, it cannot be delivered.
It might be m… Continue reading Is exposing email delivery failure to a user a security risk?→

Account enumeration on verification-less signup

Posted on August 11, 2021 by Štef FoReal

Is there a way to prevent account enumeration on signup page if access to the site is not requiring you to verify your email?
The scenario is as following:
Sign up for a site with email+password, but allow to use the site immediately. Some… Continue reading Account enumeration on verification-less signup→

How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?

Posted on April 15, 2021 by gaurav5430

Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some… Continue reading How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?→

Stop User Enumeration requests on AJAX endpoints

Posted on November 22, 2020 by Abhi

I have an ecommerce website with over 5 million customer database. From past couple of days, probably a hacker is hitting an AJAX endpoint continuously. This endpoint takes email address as a parameter and returns whether that email addres… Continue reading Stop User Enumeration requests on AJAX endpoints→

Stop User Enumeration requests on AJAX endpoints

Posted on November 22, 2020 by Abhi

memcached enumeration issues

Posted on July 15, 2020 by David

I have a reverse shell from an application called openEMR to my kali host. Im trying to enumerate memcached manually however I get an error failed to listen on TCP port 11211: Address already in use
any help would be appreciated. Ive tried… Continue reading memcached enumeration issues→