Ok! Yet another big term User Enumeration and you might be asking yourself, what the heck is user enumeration anyways. Well you're in luck because I'm here to tell you all about User Enumeration and how to prevent it.
First thing first, you should know that User Enumeration is a Cyber Security term and now that you know that, the big question now is What is user enumeration?
User enumeration is a malicious act of using special hacking techniques to guess or confirm valid users in a system server.
Special hacking techniques often used for user enumeration is bruteforce which enables the hacker to obtain some sensitive information to know the validity of a user on a particular system.
According to Wikipedia, In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
User enumeration is a vulnerability that is often found on websites and one of the places where it's usually present is a website login and forgot password functionality.
The key to user enumeration is to know the validity of a user on a particular system. So the hacker looks for differences in server response based on the details given by him to the server.
For example, when we try to login into a website and we input a user name and a password and the server returns with "user does not exist", this would tell the hacker that what's wrong here is the "user's name" and not the password and by giving such information to the hacker, he/she can now plan the next phase of attack. This also applies to when he puts a correct user but invalid password. This techniques also applies to the "forgotten password" functionality of a website, when a hacker input a username,email, or phone number in the forgotten password field and the server responds with a "does not exist", this would tell the hacker on how plan its next phase of attack. Usually the hacker uses some kind of advanced bruteforcing attack to gain access to the user's account.
Send a generic message to the user - Instead of telling the user what's wrong with the field like saying "Invalid username" or saying "Invalid password", send a generic message like "Invalid username or password"
Make your server response time same for all request - Ok you might be thinking how server response time would hint the hacker that a field is correct or not well hackers are intelligent and I would tell you how server response time hint the hacker. When a server respond faster for a valid input and take a long while for an invalid input and vice versa, this hint the hacker on which input is correct or not so to fix this you have to give your server a hard coded time the server returns it response to the user, that way both invalid and valid requests both have the same response time and by so doing the hacker doesn't get any hint.
Using a Web Application Firewall (WAF) - Let's say the hacker wants to perform a bruteforce attack on a user and starts trying a list of random username at a sequence, the firewall will block the hacker's IP because a normal user cannot input a username at such sequence.
Use 2 Factor Authentication - Using 2FA makes the end goal of the hacker fruitless so it's advised to use 2FA.
As a general rule it's advised to always cross check your server response for any sort of vulnerabilities.