User Enumeration in kareadita/kavita
Oct 27th 2022
The migrate-email endpoint is requiring Email, Username, and Password parameter. The Username parameter value will be queried to _userManager.Users and will returning data to user variable, if user variable contain null value, the application will return bad request with "Invalid username" message, which is similar to user doesn't exist message.
This bad request message can be used for user enumeration, with the asumption if an Username parameter value using the valid username, the backend will returing the different message.
Proof of Concept
1. Send a request with the following parameter :
- Email parameter with any email value - Username parameter with any value - Password parameter with any value
2. The backend will response "Invalid username"
3. An then, try to put the valid Username on Username parameter.
4. The backend will response "Your credentials are not correct".
An attacker could perform an bruteforce attack to either guess or confirm valid users in a system.