Web security practices (11) User Name Enumeration
User name enumeration and password guessing are two core components of web attack verification. This article only discusses some common cases of user name enumeration.
Body
11.1 obtain the user name from the user ID of the website
For websites such as blogs, forums, and friends networks, user names, ID numbers, and nickname levels are available for different user identities. In many cases, the user names used for Logon are clearly exposed.
Taking the blog Park as an example, a similar link will be obtained for accessing everyone's space: http://www.cnblogs.com/tintown /. Tintown is the user name.
In this way, we can obtain the logon usernames of all users in the blog Park. Another example is Baidu space.
The preceding xuanhun is the logon user name. However, Baidu recently encrypted the space of other people you accessed. But it is easy to be restored.
A better way is to separate the user IDs for login and website function operations. The following is an example of the Intranet.
The User ID of the internal network of the school is automatically bound to the user name by the program, while the operation process uses ID rather than the user name. The user login uses the user name instead of ID, this makes it difficult to enumerate user names to some extent.
11.2 content
Many websites use Email to log on, but personal information also has the Email option. If this user is filled in, it is likely to expose his login username.
Enter the indirect information that can expose the user name. For example, if you fill in the space link of the blog garden on the XX website, the Login User Name of the blog garden may be the user name of the XX website. Because few people constantly change their usernames and passwords.
Other sensitive information. Keywords such as username and uid on the page.
11.3 Brute Force Logon Detection
(1) logon Interface
This is a common method used by many software. The existing dictionary is used to continuously perform logon attempts and determine whether the logon is successful Based on the returned information.
Take the blog Park as an example:
On the logon page, enter the username dudu and password 123. The Password error message is returned.
Enter dudu123456 and password 123. The user name does not exist.
Depending on the returned information, we can determine whether the user name exists.
(2) Registration Information
Take Baidu registration as an Example
If you enter an existing user name, the user name already exists. In this way, the user name is obtained.
(3) retrieve password information
We just talked about the security policy for preventing enumeration of user names in the internal network of the school. Next we will look at its password retrieval interface.
Input the account we want to detect. If an error occurs, this error message is returned. What if it is correct?
Look, even the mailbox shows us.
Here, we will discuss the Attack Details and protection details in the next article.
(5) account locking
We can also use the account locking mechanism for pages with less obvious error messages returned. The reason is simple. account locking is only for existing users, but not for non-existing users. For example, email 126. However, account locking is prone to DoS attacks caused by violent programs.
11.4 discussion on methods to prevent brute-force detection
(1) account locking
Account locking is very effective because brute-force cracking programs are unlikely to guess the password in 5-6 attempts. However, normal users are also rejected. If an attacker detects a user name after successful detection, a severe denial of service attack may occur. The attack account lock for a large number of user names with only one password is invalid.
If no information is returned for the locked account, attackers may be confused.
(2) return information
If successful information is returned regardless of the result, the software will stop the attack. But it will soon be known to people.
(3) page Jump
When a logon error occurs, You need to log on again on another page. For example, 126 and the Intranet are both in this way. The limitation is that you cannot always jump to the page. Generally, you only jump to the page when the first error occurs, but you can continue the brute force detection after the first error.
(4) Appropriate latency
When you check the password, insert a pause to reduce the attack, but this may affect the user.
(5) block IP addresses for multiple logins
This method also has some disadvantages, because attackers can change their IP addresses on a regular basis.
(6) Verification Code
Mien Ng told me about the verification code just now. I was going to talk about it next time. Now that I have mentioned it, I feel it is better to talk about it here. The verification code is indeed a good way to prevent violent attacks, but a poorly designed verification code can be bypassed, which is not detailed here. The verification code is useless for manual detection of specific targets.