Saturday, 24 January 2026

Friday Fun Pentest Series - 47 - Username Enumeration - elggv6.3.3

Description

- It was noted that the "Fogot Password" functionality was vulnerable to "Username Enumeration"

Username Enumeration

Steps to Reproduce:
  1. Enter valid user and observe HTTP response
  2. Enter invalid user and observer HTTP response

// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=admin

// HTTP Response - Resetting Password - Valid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:14:43 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 318
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/'" />
        <title>Redirecting to http://elgg.local/</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/">http://elgg.local/</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Valid User

GET / HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Valid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:14:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 20646
[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Successfully requested a new password, email sent</div></div></div>
[...]


// HTTP Request - Resetting Password - Invalid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=x

// HTTP Response - Resetting Password - Invalid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:15:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/forgotpassword
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 374
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/forgotpassword'" />
        <title>Redirecting to http://elgg.local/forgotpassword</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/forgotpassword">http://elgg.local/forgotpassword</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Invalid User

GET /forgotpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Invalid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:15:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 19681
[...]
<div class="elgg-message elgg-message-error"><div class="elgg-inner"><div class="elgg-body">Username x not found.</div></div></div>
[...]



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 48 - Weak Password Complexity - elggv6.3.3

  Description - It was noted that the "Password Update" functionality allowed users to set weak passwords. Weak Password Complexit...