User Enumeration
• The ability to enumerate user information
through variable responses from requests using
valid and invalid information.
• Response variations include error messages,
lockouts, query string parameters, spacing,
timing, anything really.
• Can exist anywhere the application formulates
a response based on user-specific information.
– Login, account recovery, registration, messaging,
etc.
• Be consistent.
– Not always easy to do.