In black box and gray box penetration testing scenarios, discovering a list of valid users for an application may be one of the first steps, especially if such an application is not commercial so that you can look for default users online.
Enumerating users in web applications is done by analyzing the responses when usernames are submitted in places such as login, registration, and password recovery pages. Some common error messages follow, which you can find when submitting forms to such pages that tell you that you can enumerate users:
- "User foo: invalid password"
- "invalid user ID"
- "account disabled"
- "this user is not active"
- "invalid user"
Let's review a very simple example on how to discover valid usernames from ...