Time-based User Enumeration

Introduction

One of the most important steps when pentesting a web application is identifying valid user data and then using brute-force or dictionary attacks to determine the second factor -- the password. Nowadays, enumerating usernames is becoming an ever-greater challenge for attackers. This is a good sign, as it means developers are taking application security seriously. Most modern applications now return only generic messages such as "email address or password is incorrect" when a login attempt fails.

Since simply enumerating usernames is no longer viable, a more sophisticated approach is needed to obtain this valuable information. This is where time-based user enumeration comes into play.

Classical Approach vs. Time-based Approach

In the classical approach to user enumeration, you look for specific feedback from the system. This can be as obvious as an error message ("This account does not exist.") or as subtle as a slight variation in response error codes. In either case, an attacker can exploit this behavior to automatically compile a list of valid usernames for use in password attacks. Since this scenario is increasingly rare in modern systems, a more sophisticated approach is required.

The time-based aspect of this vulnerability emerges when the application offers no obvious way to determine whether a username is valid, yet the web server's response time changes measurably. Typically, this is caused by differences in the application's login processing code that create a longer execution path for valid usernames, resulting in a noticeable time delay.

Regardless of how an attacker obtains valid user data, it poses a significant risk to your organization. Such a list already contains half of the credentials required to log in, greatly increasing the likelihood of unauthorized access. The only thing standing between your company and a compromise is the strength of your users' passwords -- which, as experience shows, is often insufficient.

What to Consider When Testing?

There are several important points to keep in mind when testing. First and foremost, avoid overloading the server, as this could skew the results. It is therefore advisable to include a small delay between requests.

Additionally, it is advisable to distribute the valid usernames across the payload so that they are not sent in consecutive requests. This random distribution within the dataset reduces the risk of false positives.

Furthermore, you should run the test multiple times and then calculate the average response time per user. This normalizes the data and further reduces the risk of false positives.

Of course, even with all these precautions, the success of the attack still depends heavily on the stability of the server and the internet connection between server and client.

How Do I Prevent Time-based User Enumeration?

Now that we have seen how time-based user enumeration works, the question is how to secure your systems against it. For in-house applications, developers should be made aware of this issue so they can eliminate significant timing differences in login processes. If you do not control the source code, as is the case with commercial off-the-shelf software, mitigation becomes more challenging.

Beyond addressing the root cause, you should implement additional safeguards to reduce the risk of unauthorized access. The most effective measure is to deploy multi-factor authentication (MFA) across all publicly accessible login interfaces. Even if an attacker manages to obtain valid credentials through enumerated usernames, they would still need the second factor to gain access.

Additionally, strict account lockout policies and a strong password policy can increase resilience against password attacks. A policy enforcing a minimum length, combined with a password disallow list that prevents users from choosing extremely weak passwords, goes a long way toward preventing unauthorized access.

If the attacks cannot be fully prevented, you should at least monitor for them. Ensure that your monitoring environment is configured to detect multiple failed authentication attempts from a single source, regardless of the username used, so that requests from that IP address can be blocked for a defined period.

Conclusion

In this post, we have explained how such an attack works, what to watch for during testing, and how to defend against it.

Username enumeration is a widespread vulnerability that cannot always be remedied by simply ensuring the application responds identically whether a username exists or not. The most straightforward fix is to perform full password validation even for non-existent accounts.

Ultimately, the risk posed by this vulnerability depends heavily on the authentication methods in place and the strength of the enforced password policy.