User Enumeration Attack


In this blog, we are discussing the user enumeration attack. While writing code we used to think about code optimization application performance, but we are not worrying about secured code right now. Let's understand the best approaches to avoid user enumeration in the application.

A User Enumeration attack means if an attacker is able to collect the user name for a website by using brute-force or a social engineering technique, an attacker can get the password and get into the application. Our site will be more secure when attackers cannot list usernames. Let's understand common ways of user enumeration leakage in applications.

If our login page has different error messages for login failure an attacker can write a script and list out all the valid user names.

For example, I will enter the user name as batman and this user name does not exist in the database. In this case, if it returns any specific error message like user name does not exist this will lead to user enumeration.

If the user enters the right username and wrong password, in this case if we return a specific error message, like the password is incorrect, this will lead to user enumeration.

The application should always return the generic error message instead of specific.

Check the below snapshot.

User Enumeration Attack

HTTP response header should be identical in all login failure scenarios; make sure not to respond with the cookie when a login fails.

On the password reset page we can also see the user enumeration. When the user enters the user name for password,  reset system should not say the account doesn't exist.

User Enumeration Attack

The best approach is to send a password reset link to the respective email id and give the generic error message.


In this blog, we discussed user enumeration attacks and the best approaches to fix this issue.