/java/

Two step registration. Problem with username and enumeration.

2017-01-17 23:57:37

Problem

If during registration, system validates username unique and informs about that by some type of validation message, you can treat this as Data Leak.  Potential Attacker can use this functionality to check by automated script, if one of the common user names exists in your system. When attacker confine that your system contains some of the common user names, he is ready to try Brute Force of  Login Page. 

Solution

Prepare to step registration. In the first step, user have to provide only email and wait for message. Message can inform that this email is already used, or provide a form where user have possibility to enter all other data and finalize registration.

Solution 2

There is also a possibility to generate username by the system, but then generated user name should be quite random.