User Enumeration Vulnerability
Need
Prevent attackers from enumerating valid usernames in the system
Context
• Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications
• Usage of Phoenix Framework (1.5 and above) for building web applications
Description
1. Non compliant code
defmodule UserController do
use MyAppWeb, :controller
def login(conn, %{'username' => username, 'password' => password}) do
case Accounts.get_user_by_username(username) do
nil -> send_resp(conn, 400, "User does not exist")
user ->
if user.password == password,
else: send_resp(conn, 400, "Wrong password")...The above code is vulnerable to user enumeration. When a user tries to log in, the application responds differently depending on whether the provided username exists or not. If the username doesn't exist, it sends back a 'User does not exist' message. If the username exists but the password is wrong, it sends back a 'Wrong password' message. An attacker could use these differing responses to enumerate the existing users.
2. Steps
• Change the server response to be the same for both existent and non-existent users.
• Ensure that the response does not leak any information about the existence or non-existence of a user.
3. Secure code example
defmodule UserController do
use MyAppWeb, :controller
def login(conn, %{'username' => username, 'password' => password}) do
case Accounts.get_user_by_username(username) do
nil -> send_resp(conn, 400, "Incorrect credentials")
user ->
if user.password == password,
else: send_resp(conn, 400, "Incorrect credentials")...In the secure code example, the server's response is the same ('Incorrect credentials') for both existent and non-existent users. This prevents an attacker from being able to enumerate the existing users based on the server's responses.
References
• 026. User Enumeration Vulnerability