1. Vulnerability description
It often exists in the system login interface. Due to misconfiguration or design flaws, when a valid account and an invalid account are submitted to the system, the server will respond differently. Using the difference in the server response, the attacker can obtain the account that already exists in the system. Use brute force to further obtain the login password of the account.
2. Where the vulnerabilities exist
Through manual testing, enter the account name, check the page confidence, whether it will prompt that the user name does not exist or the password is incorrect. Username enumerations often exist in the following places:
1. Login interface
Entering a user name that does not exist as follows shows that the user name does not exist, and entering a wrong password will show that the password is wrong, a typical user name enumeration. Note: If at the login interface, you can log in without entering the graphic verification code or the graphic verification code is invalid, the vulnerability is meaningful, otherwise we cannot brute force this vulnerability if the graphic verification code is required for login. Big
2. Registration Information Office
Entering an existing username will return the information that the username already exists. Based on this, we can also enumerate system accounts
3. Retrieve the password
Enter the login account, if the account does not exist, it will return this error message
3. Repair
The judgment echo information on the website login page is modified to the same: the user name or password is wrong.
———Heart, if there is no place to inhabit, it will be wandering everywhere