Modee's Blog

Enumeration Attacks.

What are username enumeration attacks, bruteforcing attacks and how to fix enumeration vulnerabilities.

Omodeni Dolapo's photo
Omodeni Dolapo
·

2 min read

Username enumeration attack is a type of attack that follows the process of determining the valid usernames for an application based on an application's response.

Username enumeration attacks basically exists in three places such as;

  1. Login
  2. Forgotten password
  3. Registration

Enumeration attacks can be used to

  1. Identify personal information about customers or users.
  2. Collect pricing, scheduling or operational information of people and organizations. e.t.c

We should always remember that enumeration attacks are not just about security. It can directly impact the safety of people.

Bruteforcing attack is a type of attack that follows the process of automating attempts to access a system such that it can be done fast and autonomously.

What can an attacker do with these vulnerabilities?

  1. Identify valid usernames within a system.
  2. Automate attacks to compromise many accounts in the same period.
  3. Enumerates other confidential data. e.t.c.

How to Prevent Enumeration Attacks

  1. Multi-Factor Authentication (MFA) - By requiring MFA with each login attempt, cybecriminals will not have access to any server responses without submitting the correct authentication tokens first. Cyberattackers are very unlikely to also have compromised the separate endpoints receiving these tokens.

  2. Use CAPTCHA on all forms - CAPTCHAs are not as effective as MFA but they do effectively block automated enumeration attacks.

  3. Limit login attempts: CAPTCHAS and MFA inconvenience cyberattacks by adding latency to each login attempt. This frustration can be further amplified with rate-limiting, when the login process is blocked beyond a set number of failed attempts from the same IP address.

  4. Use a Web Application Firewall (WAF) - WAFs can block suspicious login attempts coming from a single IP address.

  5. Implement cyber awareness training - Train staff to identify common tactics used to steal sensitive information outside of enumeration methods, such as social engineering and phishing. Obfuscate API responses - If a login form calls an API, make sure these messages do not reveal the validity of each individual field entry.

#cybersecurityDevSecOpsinfosec