User Account Enumeration


The application responds to requests with information that indicates whether an account exists or not. Attackers can user this information to enumerate user accounts that can be used as a part of a brute force attack against the application.


Attackers use information such as login error messages to enumerate usernames within the application. Attackers can use harvested accounts to launch additional attacks including phishing, brute force guessing of passwords, or denial of serving by intentionally locking valid users out of their accounts.

Risk Rating


How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas



Subscribe here in order to gain access to the AppSec Findings Database


Leave a Reply