1

I am currently reading the book "Web Security of Developers" and it talks about avoiding Username Enumeration, and it makes no mention of the registration/signup page for your system. I've searched the web and haven't found anything either.

It seems to me that an attacker could simply try signing up for your website with a series of usernames, and that would constitute username enumeration to the same extent as overly informative login failure or password reset pages.

Is this assessment correct or is there something I've overlooked here? Also, if I am right about this, is there a known mitigation approach?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Paul
  • 221
  • 1
  • 5

1 Answers1

-1

Maybe we could consider that using usernames instead of email for authentication allows this misbehavior.

If only the email address are allowed to login, then it is not a problem to reveal that an username is already used (because it is not sufficient to log in). And because email addresses are unique, there are few chances that someone tries to register with an already existing email address.

If it's happen, it is possible to not display any warning and to send an email saying "you tried to register again with this email address, if you forget your password, use the dedicated function. If it was not you, don't worry your account was not modified".

Furthermore, by using an email confirmation (with activation link) after registration, a legitimate user who misspelled his email address will be able to figure it out because he will not receive the email confirmation. So even if he used an existing email address by mistake, there is no user enumeration and he can know that the registration was not complete.

Sibwara
  • 1,338
  • 8
  • 21
  • What is the difference between e-mail address as username, and a username? I can't see how this changes the risks you're trying to avoid when mitigating user enumeration. In both cases, it will reveal the same information: is *this* input worth trying as a legitimate username. – vidarlo Oct 20 '20 at 08:14
  • If you try to register with your email address, there is no reason that someone else already use it (like usernames). And you can avoid to display a message if the email address already exist in the database, it is sufficient to send an email to the owner of this address – Sibwara Oct 20 '20 at 08:21
  • So if someone attempts to register a duplicate, you would show no error message, merely act if everything was ok? That would work... – vidarlo Oct 20 '20 at 08:23
  • Yes or with a message like "an email confirmation will be sent to your address david@stackexchange.com in order to confirm your registration" so the user can double check that he used the correct email. And, as I say, if it is a duplicate, instead of sending a confirmation email you send a mail like "Someone tried to register again with your email address" – Sibwara Oct 20 '20 at 10:21