User Enumeration- Forgot Password #VDP

Dec 16, 2021

User Enumeration:

User Enumeration is a kind of vulnerability where a malicious user tries to identify whether a particular user is registered or not in an organization.

Vulnerability:

At the forgot password select any email address you want to look up enter email value such as “abc@gmail.com” if it’s registered it sends an email directly if not the application is responding with an error page “ No user exists for this e-mail address: “abc@gmail.com”

Using this error code we would be able to identify if a user is existing in the application or not.

Mitigation:

Instead of relying on status code response, a custom response would be able to fix this issue “for e.g: if a user account exists with this email address you will receive an email shortly”

Written by ganiganeshss79

181 Followers

Lazy Kid | Security Analyst |

Recommended from Medium

Salman Khan

$1,250 worth of Host Header Injection

What is Host Header Injection?

4 min read6 days ago

Blind OS Command Injection via Activation Request!!

theUnixe

Blind OS Command Injection via Activation Request!!

Hello everyone, in this article I’m going to share with you how I found Blind OS Command Injection vulnerability via account activation…

3 min readJun 20

Lists

Medium Publications Accepting Story Submissions

154 stories740 saves

Exploiting Broken Access Control Vulnerability 💰

Manthan_ mahale

Exploiting Broken Access Control Vulnerability 💰

Greetings, fellow security enthusiasts! I’m here to share a recent discovery — a security vulnerability uncovered on the Private program…

2 min readSep 16

Isu Momodu Abdulrauf

Analyzing API Endpoints

Unlock the world of API Hacking with our upcoming series, tailor-made for beginners looking to become API security experts

16 min readJul 27

https://github.com/zadam/trilium/wiki/images/dark-theme.png

Chirag Agrawal
in
InfoSec Write-ups

22.6k+ GitHub Stars Note-Taking App Hit by XSS Vulnerability

CVE-2023–3067: Stored Cross Site Scripting Vulnerability on renowned note-taking thick client app Trillium

2 min readSep 17

How I gained admin access with phpMyAdmin

Manoj Deshmukh

How I gained admin access with phpMyAdmin

Overview

3 min readJun 23

See more recommendations

Help
Status
Writers
Blog
Careers
Privacy
Terms
About
Text to speech
Teams

User Enumeration- Forgot Password #VDP

Written by ganiganeshss79

More from ganiganeshss79

HTTP VERB TAMPERING:

HTTP Verb Altering is an assault that misuses vulnerabilities in HTTP verb (too known as HTTP strategy) verification and gets to control…

#Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$

Let me thank all the bug bounty hunters over there who are creating great content and inspiring a lot of people like me.

Security Misconfiguration

Default Credentials leading to Admin Portal Access.

Business Logic Vulnerability:

How I was able to Load Money Into My Account.