Username and email enumeration via Forgot password feature in froxlor/froxlor
Nov 4th 2022
User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the response body, response headers or sometimes, in the response delay.
In your application, user enumeration occurs when a user requests a password reset.
🕵️ Proof of Concept
Invalid user/email pair
Valid user/email pair
Responses are not the same depending on the validity of the request.
Use the same response for valid and invalid requests, you can use generic message like :
If your email exists in our database, a password reset link will be send.
User and email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.