Collaborate Disseminate
With the current WordPress API you can get a list of usernames and email addresses of all users in the system with almost no effort:
<url>/wp-json/wp/v2/users
Outputs something like:
[{
“id”:1,
“name”:”admin”,… Continue reading Should I be concerned about the WordPress REST API’s user enumeration vulnerability?
About a year ago my Windows server 2008 R2 server was hacked. I had RDP open to the world, I know, not a good idea. Being that it was a year ago I don’t have any of the logs, but I was thinking about something today.
How did… Continue reading How did hackers brute force my Windows server username?
It used to be the case that authentication systems wouldn’t confirm whether a user account existed and, instead, would simply report that the user logon name or password was incorrect.
Nowadays, a lot of authentication syste… Continue reading User account existence confirmation
I am responsible for some public-facing web applications, and I want to test these for the username enumeration risk as explained in Testing for User Enumeration and Guessable User Account (OWASP-AT-002) by the OWASP project…. Continue reading How to effectively test for username enumeration risk?
While viewing bug bounties, I noticed that most of the bug bounties list the user enumeration in the excluding list. For instance brute forcing user accounts, forget password forms would generally fall into this category.
This got me thin… Continue reading Why do several bug bounties ignore user enumeration?
Does correcting a misspelled username and prompting the user with a valid username introduce a security risk?
I recently tried logging into facebook and misspelled my email. They prompted me with the message below.
Log … Continue reading Does correcting misspelled usernames create a security risk?
When I am implementing password reset functionality I usually do not include informative messages about whether a user was found, because I have always believed that it can lead to user name enumeration. So instead of showin… Continue reading Informative error messages in password reset functionality?
It is really common (and I would say it is some kind of security basic) to not show on the login page if the username or the password was wrong when a user tries to log in.
One should show a generic message instead, like “Password or usern… Continue reading Generic error message for wrong password or username – is this really helpful?
On our forgot password reset form, is it ok to leak that a given e-mail address entered is invalid? Or should we always just return success and check your e-mail, even if the e-mail is not valid.
I feel like always returning success can p… Continue reading Best practice for forgot password form, ok to leak that a given e-mail is invalid
Being on the company security email list, I get emails with some regularity complaining about email discovery on various forms on my employers website. The reporters are complaining about things like our login form returning a specific mes… Continue reading How to prevent email discovery in forms?