Time-based User Enumeration

Introduction

One of the most important points in pentesting a web application is to find out valid user data and then use brute force or dictionary attacks to find out the second factor, the password. Nowadays, enumerating usernames in applications is becoming an increasing challenge for attackers. This is a good sign because it means developers are doing their homework and keeping application security in mind. Most applications now return only generic messages, such as "email address or password is incorrect," when logins fail.

Since simply enumerating usernames is no longer an option, a deeper approach must be taken to get this valuable information. This is where the vulnerability of time-based user numbering comes into play.

Classical Approach vs. Time-based Approach

In the classical approach to user numbering, you look for specific feedback from the system. This can be as obvious as an error message ("This account does not exist.") or simply a slight change in response error codes. In either case, an attacker can abuse this to automatically create a list of valid usernames that can be used for password attacks. Since this case does not occur too often in today's systems, one has to take a deeper approach.

The time-based part of this vulnerability occurs when the application has no obvious way to determine the validity of a username, but the timing of the web server's response changes. Typically, this is caused by flaws in the application's login processing code that create a much longer execution path, resulting in a longer time delay.

No matter how an attacker manages to grab valid user data, it poses a risk to your organization. This list contains half of the data required to log in to the application in question, greatly increasing the likelihood that someone will gain unauthorized access. The only thing now standing between your company and a compromise is the strength of your users' passwords, which - I think we can all agree - are probably not very good.

What to Consider When Testing?

There are a few points to consider when testing. First and foremost, it is important not to stress the server too much, as this could consume the result. Therefore, you should include a small delay between requests.

Additionally, it is advisable to split the valid usernames in the payload, which means that the valid usernames are not sent in consecutive requests. This random splitting in the data set reduces the risk of false positives.

Furthermore, it is necessary to run the test several times. Afterwards the average response time per user should be calculated, this normalizes the data and further reduces the risk of false positives.

Of course, even with all these measures, the success of the attack depends very much on the stability of the server and the Internet connection between the server and the client.

How do I Prevent Time-based User Enumeration?

Now that we have seen how the time-based user enumeration attack works, the question is how to secure systems against it. For in-house developed applications, the developers should be made aware of this problem in order to find ways to avoid large time differences in login processes. If one does not own the code, as is the case with commercial standard software, the matter becomes more complicated.

In addition to addressing the root cause, some additional controls should be built in to reduce the risk of unauthorized access. The most effective control would be to implement multi-factor authentication (MFA) for all your open login interfaces. Even if an attacker were to gain access to valid credentials through the list of enumerated usernames, they would need this second factor to gain access.

Alternatively, strict account lockouts and a strong password policy can increase resistance to password attacks. A password policy with a minimum length and the creation of a password disallow list that prevents users from setting extremely weak passwords can help prevent unauthorized access.

If the attacks cannot be prevented, at least monitor them. Make sure your monitoring environment is configured to detect multiple invalid authentication attempts from a single source, regardless of username, so that requests from that IP address are blocked for a period of time.

Conclusion

In this blog post, we have explained how such an attack can take place, what to look out for and how to prevent these attacks.

User name enumeration is a very widespread vulnerability that cannot always be fixed by simply making sure that the application reacts the same way in situations where the user name exists and does not exist. The most trivial solution to this vulnerability would be to perform password validation even for accounts that do not exist.

However, the risk of this vulnerability is highly dependent on the methods used for authentication or the password policy used.