very common yet medium severity vulnerability is present in almost all applications. An enumeration attack occurs when cybercriminals use brute-force methods to check if certain data exists on a web server database.
For simple enumeration attacks, this data could include usernames and passwords. More sophisticated attacks could uncover hostnames, SNMP, and DNS details, and even confirm poor network setting configurations.
Every web application module that communicates with a user database could potentially become an enumeration attack vector if left unsecured.
The two most common web application targets for enumeration attacks are:
Because vulnerabilities that facilitate these attacks allow hackers to cross an information security border, enumeration is a critical component of penetration testing.
During an enumeration attack, hackers are looking for unique server responses confirming the validity of a submitted credential.
The most obvious response is a field authentication message after a web form submission. To explain this process, we will use an example of a username enumeration attack - when attackers try to find usernames in a web server database.
This attack sequence usually begins by focusing on usernames only. The objective at this stage is to find as many valid usernames in a database as possible.
A webserver with poor application security will identify a non-existent username with an invalid username message similar to this:
Because this message only confirms the validity of the username, a threat actor can confirm that the username is not found on the webserver database.
A cybercriminal will then submit the same password with different username variations until a sufficient list of validated usernames is established.
Username variants are either found in purchased lists of leaked credentials or generated with brute force attack techniques.
Cyberattackers will then repeat the process with passwords, performing brute force techniques against all validated usernames until a winning combination is finally achieved.
This type of attack can be performed on any web app function that includes database verifications in its processes.
The best method of obfuscating server confirmation messages is to display a generic message after failed login attempts, one that does not specify which field was incorrect.