Account enumeration is very important during a penetration test because it helps determine if an unauthorized party can trick the system into revealing privileged information. If you are considering account enumeration during a penetration test, this pen testing company offers efficient services and excellent customer service. This post will list various techniques that are used for account enumeration in a penetration test.
Account Enumeration Through The Account Lockout Message
You can test for this type of enumeration by sending a request with a valid email address or username to confirm the lockout threshold. The next step is sending the required number of requests until the threshold is reached. Different applications will have various lockout thresholds.
Test how the application responds to a request when the username or email address does not exist. Where the username or email address exists in the database, the application should respond with a message notifying that the account is blocked. The account lockout feature is an essential part of account enumeration when pen-testing.
Account Enumeration Through The Login Error Message
This method is a prevalent user enumeration technique and can be found in many web applications. You can use this feature by taking advantage of the different messages the application responds with to show whether the username or email address exists in the database or not.
An invalid password response shows that the username or email address exists in the database. An invalid username response indicates that the username or email address does not exist in the database.
Account Enumeration Through Response Time Discrepancy
This technique is not commonly used, and you should consider incorporating it into your account enumeration methodology during pen-testing. You should check the web server’s response time for any noticeable differences or patterns in response time where you provide a valid username or email versus invalid ones. Perform the response time discrepancy tests for the login page, forgot password page, and registration form page.
These tests are typically done by sending several consecutive requests (three or more) with valid usernames or email addresses and recording the response time. You should then send more requests using invalid usernames or email addresses that have a single letter or digit altered and record the response time. The response times for valid and invalid requests are then compared. When performing optimally, response time for valid requests should be faster than that of invalid ones.
Account Enumeration Through Response Size Discrepancy
The method used for response size discrepancy is similar to that used for response time discrepancy. During thorough pen-testing, you should look for differences in behavior, such as when the application displays the same generic message whether or not the username exists in the database.
You should check the web server’s response time and size discrepancy by performing discrepancy tests on the login page, forgot password page, and registration form page. The tests are typically done by sending several consecutive requests with valid usernames and email addresses then recording the size discrepancy. You must repeat the tests using invalid usernames and email addresses so you can compare the size discrepancy between the valid and invalid responses.
Account Enumeration Through The Registration Form
When pen testing, you should also check the application or website’s registration form. This is done by filling in a valid username or email address and querying whether the application will return an ‘existing username’ or ‘existing username’ error message. You can get the email address or usernames from doing the organization, an OSINT, or using a wordlist. Be sure to properly pen test the registration form page.
Account Enumeration Through The Reset Password Feature
Checking the application’s forgotten or reset password feature is also essential when pen-testing. This is done by entering a username or email address in the database and prompting the application to show you a password reset token associated with the account or username you just entered. You can also enter an email address or username that is not in the database, in which case the application returns a username or password invalid message.
If you are searching for a pen testing company that will provide efficient services at an affordable price, you can seek a referral from a trusted source. Online reviews and referrals are also a reliable way to find the best pen testing company for your web application. Be sure to do as much research as possible to ensure you find a trustworthy and reliable pen-testing company that can point out and possibly repair any vulnerabilities in your web application.