Username Enumeration

Website error messages are great resources for collating this information to build a list of valid usernames. I have a form to create a new user account if I go to the Acme IT Support website (http://10.10.13.84/customers/signup) signup page.

After trying to entering the username admin and fill in the other form fields with fake information, you'll see I get the error An account with this username already exists. I can use the existence of this error message to produce a list of valid usernames already signed up on the system by using the ffuf tool below. The ffuf tool uses a list of commonly used usernames to check against for any matches.

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.13.84/customers/signup -mr "username already exists"

In the above example, the -w argument selects the file's location on the computer that contains the list of usernames that I'm going to check exists. The -X argument specifies the request method, this will be a GET request by default, but it is a POST request in my example. The -d argument specifies the data that I am going to send. In this example, I have the fields username, email, password and cpassword. I've set the value of the username to FUZZ. In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request. The -H argument is used for adding additional headers to the request. In this instance, I'm setting the Content-Type to the webserver knows we are sending form data. The -u argument specifies the URL we are making the request to, and finally, the -mr argument is the text on the page I will be looking for to validate any valid username found.

As the results above show, these are some of the users found.