In this walk through, we will be going through the Username Enumeration (Login) vulnerability section from Mutillidae Labs. We will be exploring and exploiting Username Enumeration in Login panels and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security Level: 0 (Hosed)
- Setting the security level to 0 or Hosed.
- The page has an authentication mechanism which requires username and password.
- I entered a common username as admin with random password and it shows Password Incorrect.
- Then, i entered random username and it shows Account does not exist. Thus, application is vulnerable to username enumeration.
Also Read: Mutillidae – Unrestricted File Upload
Conclusion:
So, we finally completed all the security levels for the Mutillidae Username Enumeration (Login) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential Username Enumeration attacks by displaying a generic message like “Login Failed” or “Username or Password is incorrect” for any unsuccessful login attempt. Along with that, a WAF can mitigate this by blocking several request from the attacker who is trying to login with different usernames. On that note, i will take your leave and will meet you in next one with another Mutillidae vulnerability writeup, till then “Keep Hacking”.