set the password field to the same as the username, you can use the

Even if an application’s responses to login attempts containing valid and

invalid usernames are identical in every intrinsic respect, it may yet be possi-

ble to enumerate usernames based on the time taken for the application to

respond to the login request. Applications often perform very different back-

end processing on a login request, depending on whether it contains a valid

username. For example, when a valid username is submitted, the application

may retrieve user details from a back-end database, perform various process-

ing on these details (for example, checking whether the account is expired),

and then validate the password (which may involve a resource-intensive hash

algorithm), before returning a generic message if the password is incorrect.

The timing difference between the two responses may be too subtle to detect

when working with only a browser, but an automated tool may be able to dis-

criminate between them. Even if the results of such an exercise contain a large

ratio of false positives, it is still better to have a list of 100 usernames approxi-

mately 50% of which are valid than a list of 10,000 usernames approximately

0.5% of which are valid. See Chapter 14 for a detailed methodology for how to

detect and exploit this type of timing difference to extract information from the

application.

T I P