Wednesday, June 14, 2017

Simple Username Harvesting (from SANS SEC542)

Some things are so obvious things after they are pointed out to you.

Go to a web site that requires a login. Put in any username with any password. Did the page come back

with both the User and Password fields blank? Now put YOUR username in, but with some password you

make up. Does the form come back with your username in the User field and nothing in the Password

field? If so, here's what you just discovered. The developer is making his form more efficient by not

hashing and testing the password to see if it's correct unless the username is valid. If the username IS

valid, he populates the User field with it and checks the password. If the password is incorrect, he only

clears the Password field so you can retry your password. You just discovered a crude form of username

harvesting. Try different usernames and if they remain in the User field, that's a valid account on the

server. I know, that would take a lot of time to do it that way. That's why hackers write automated tools.

No comments:

Blog Archive