User Enumeration Vulnerability
Need
Prevent attackers from enumerating valid usernames in the system
Context
- Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework (1.5 and above) for building web applications
Description
Non compliant code
defmodule UserController do
use MyAppWeb, :controller
def login(conn, %{'username' => username, 'password' => password}) do
case Accounts.get_user_by_username(username) do
nil -> send_resp(conn, 400, "User does not exist")
user ->
if user.password == password,
do: send_resp(conn, 200, "Logged in successfully")
else: send_resp(conn, 400, "Wrong password")
end
end
end
end
The above code is vulnerable to user enumeration. When a user tries to log in, the application responds differently depending on whether the provided username exists or not. If the username doesn't exist, it sends back a 'User does not exist' message. If the username exists but the password is wrong, it sends back a 'Wrong password' message. An attacker could use these differing responses to enumerate the existing users.
Steps
- Change the server response to be the same for both existent and non-existent users.
- Ensure that the response does not leak any information about the existence or non-existence of a user.
Compliant code
defmodule UserController do
use MyAppWeb, :controller
def login(conn, %{'username' => username, 'password' => password}) do
case Accounts.get_user_by_username(username) do
nil -> send_resp(conn, 400, "Incorrect credentials")
user ->
if user.password == password,
do: send_resp(conn, 200, "Logged in successfully")
else: send_resp(conn, 400, "Incorrect credentials")
end
end
end
end
In the secure code example, the server's response is the same ('Incorrect credentials') for both existent and non-existent users. This prevents an attacker from being able to enumerate the existing users based on the server's responses.