Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Kaspersky
Enumeration attack dangers
Message
<blockquote data-quote="Bot" data-source="post: 870659" data-attributes="member: 52014"><p>Recently, while testing a blockchain platform for vulnerabilities, our Kaspersky Blockchain Security experts found that the platform’s password recovery process was vulnerable to an attack through user name enumeration. Web developers need to be aware of this kind of attack and its dangers.</p><p></p><p><span style="font-size: 18px"><strong>What’s an enumeration attack?</strong></span></p><p></p><p></p><p>Web applications with password and login authentication typically include several components that interact with the user database: the login window (for obvious reasons), the registration form (to avoid duplication of user names), and the password reset page (to make sure that the corresponding account exists). If Web developers do not implement these features securely enough, attackers may be able to use them to determine if a certain username exists in the database.</p><p></p><p>In the past, it was common for developers to implement all of those features without any protection, and attackers could use a list of usernames and a program that entered them one by one. Over time, to keep potential hackers out, developers began to apply protective tricks such as captcha, limits on the number of login attempts, and the use of asterisks or other means to conceal certain response details.</p><p></p><p>In modern Web applications, the login window usually has this kind of protection. However, registration forms and password reset pages sometimes lack it. In addition, Web developers do not always consider that the presence or absence of a user in the database can be determined by the timing of the server response. For example, if the user name appears in the database, the server’s response takes 2 milliseconds. If not, the response takes twice as long — 4 milliseconds. To a human being, the difference is undetectable, but for automated enumeration tools, it’s easy to see.</p><p></p><p><span style="font-size: 18px"><strong>The dangers of a user name enumeration attack</strong></span></p><p></p><p></p><p>An enumeration attack allows a hacker to check whether a name exists in the database. That will not allow the hacker to log in immediately, but it gives them half of the necessary information. For example, to set up a brute-force attack, rather than searching through login and password pairs, all they need is a matching password for a verified user name, saving time and effort.</p><p></p><p>Remember as well that almost every service uses e-mail addresses as user names. Therefore, the average user has one login for many websites, and not all sites take security equally seriously; news of login and password combination leaks is depressingly common. Consolidated collections of data from these leaks are available on hacker message boards. Also, people tend to use the same passwords on different websites, so after making sure that a user name exists on your website, an attacker can tap a collection like that to see if passwords for the same user exist on other sites — and then try those passwords.</p><p></p><p>In addition, spear-phishing operators often employ enumeration attacks during the reconnaissance phase. Having ascertained that their target has an account with your service, they can send an e-mail that appears to come from you, asking the user to change their password and linking to a phishing page that looks like your website. When the unsuspecting customer enters a new password, they also have to confirm the old one — and thus provide the scammers with all they need.</p><p></p><p><span style="font-size: 18px"><strong>How to protect yourself from an enumeration attack</strong></span></p><p></p><p></p><p>Have you ever noticed how modern websites respond to the submission of a password reset form? They do not say “A link to reset your password has been sent to you” or “The specified e-mail is not in our database,” as websites used to. Instead, they write, “If this e-mail exists in our database, we will send you a message with a link.” In other words, websites do not explicitly confirm or deny the existence of the user name. They made the change specifically to protect against enumeration attacks.</p><p></p><p>In the same vein, there is no need for you to explain in detail in the login window that the user entered an incorrect password or that no such user name exists in the system. Just say that the login/password combination was not found. It’s not ideal from a UX standpoint — I, for one, get exasperated when I forget which e-mail I used for registration but I’m pretty sure about the password, or vice versa, but the website gives me no clue about which field I got wrong. However, security virtually always comes at the cost of comfort, and in the case of authentication services, a minor security bias is justified.</p><p></p><p>Of course, use of a captcha and limitations on login attempts are also a must. In addition to that, to ensure the security of your Web application, we recommend undergoing a third-party audit. And if you are in blockchain technology, our colleagues from <a href="https://www.kaspersky.com/enterprise-security/blockchain-security?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______" target="_blank">Kaspersky Blockchain Security can help with Web application security analysis</a>.</p><p></p><p><a href="https://www.kaspersky.com/blog/username-enumeration-attack/34618/" target="_blank">Source</a></p></blockquote><p></p>
[QUOTE="Bot, post: 870659, member: 52014"] Recently, while testing a blockchain platform for vulnerabilities, our Kaspersky Blockchain Security experts found that the platform’s password recovery process was vulnerable to an attack through user name enumeration. Web developers need to be aware of this kind of attack and its dangers. [SIZE=5][B]What’s an enumeration attack?[/B][/SIZE] Web applications with password and login authentication typically include several components that interact with the user database: the login window (for obvious reasons), the registration form (to avoid duplication of user names), and the password reset page (to make sure that the corresponding account exists). If Web developers do not implement these features securely enough, attackers may be able to use them to determine if a certain username exists in the database. In the past, it was common for developers to implement all of those features without any protection, and attackers could use a list of usernames and a program that entered them one by one. Over time, to keep potential hackers out, developers began to apply protective tricks such as captcha, limits on the number of login attempts, and the use of asterisks or other means to conceal certain response details. In modern Web applications, the login window usually has this kind of protection. However, registration forms and password reset pages sometimes lack it. In addition, Web developers do not always consider that the presence or absence of a user in the database can be determined by the timing of the server response. For example, if the user name appears in the database, the server’s response takes 2 milliseconds. If not, the response takes twice as long — 4 milliseconds. To a human being, the difference is undetectable, but for automated enumeration tools, it’s easy to see. [SIZE=5][B]The dangers of a user name enumeration attack[/B][/SIZE] An enumeration attack allows a hacker to check whether a name exists in the database. That will not allow the hacker to log in immediately, but it gives them half of the necessary information. For example, to set up a brute-force attack, rather than searching through login and password pairs, all they need is a matching password for a verified user name, saving time and effort. Remember as well that almost every service uses e-mail addresses as user names. Therefore, the average user has one login for many websites, and not all sites take security equally seriously; news of login and password combination leaks is depressingly common. Consolidated collections of data from these leaks are available on hacker message boards. Also, people tend to use the same passwords on different websites, so after making sure that a user name exists on your website, an attacker can tap a collection like that to see if passwords for the same user exist on other sites — and then try those passwords. In addition, spear-phishing operators often employ enumeration attacks during the reconnaissance phase. Having ascertained that their target has an account with your service, they can send an e-mail that appears to come from you, asking the user to change their password and linking to a phishing page that looks like your website. When the unsuspecting customer enters a new password, they also have to confirm the old one — and thus provide the scammers with all they need. [SIZE=5][B]How to protect yourself from an enumeration attack[/B][/SIZE] Have you ever noticed how modern websites respond to the submission of a password reset form? They do not say “A link to reset your password has been sent to you” or “The specified e-mail is not in our database,” as websites used to. Instead, they write, “If this e-mail exists in our database, we will send you a message with a link.” In other words, websites do not explicitly confirm or deny the existence of the user name. They made the change specifically to protect against enumeration attacks. In the same vein, there is no need for you to explain in detail in the login window that the user entered an incorrect password or that no such user name exists in the system. Just say that the login/password combination was not found. It’s not ideal from a UX standpoint — I, for one, get exasperated when I forget which e-mail I used for registration but I’m pretty sure about the password, or vice versa, but the website gives me no clue about which field I got wrong. However, security virtually always comes at the cost of comfort, and in the case of authentication services, a minor security bias is justified. Of course, use of a captcha and limitations on login attempts are also a must. In addition to that, to ensure the security of your Web application, we recommend undergoing a third-party audit. And if you are in blockchain technology, our colleagues from [URL='https://www.kaspersky.com/enterprise-security/blockchain-security?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______']Kaspersky Blockchain Security can help with Web application security analysis[/URL]. [url="https://www.kaspersky.com/blog/username-enumeration-attack/34618/"]Source[/url] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
