This is a kind of attack that is commonly used in penetration testing by White Hat Hackers and the purpose is to check if certain kinds of information exist on a database or server. For instance, if an attacker has a valid email ID and wants to check if this ID has been registered on a certain server, they will use this attack. Of course, this form of attack can also be used to retrieve much more sensitive information than just the presence of a user ID.
Most commonly the web pages that attackers target through this kind of attack are the password reset pages and the login pages.
If you visit any kind of login page you have requested your username along with your password. An attacker that is trying to find a username or a password can use this to their advantage. Usually, the attacker will have one or both fields of information that they have acquired through either a brute force attack or they have purchased a list of leaked credentials and they are now checking to see which combination of username and password is true.
For instance, if they have a working email address or username, they will try it with one password. In response, they will get a message that either the username is invalid or the password is invalid, in either case, the validity of one thing will be confirmed. Once they have one thing confirmed they can start checking it against different passwords and see which one matches the username. This could involve going through hundreds of thousands or even millions of credentials so this will usually be an automated process, much like a brute force attack.
A slightly more complex way of differentiating between valid and invalid user credentials is to monitor the server response time. In general, servers will take a little longer to respond to requests for invalid usernames. Using additional tools that are used for penetration testing an attacker can easily see how long it is taking for a server to respond with information. When they find a good response time, they have found a credential that will work.
The most basic solution to this problem is that rather than responding to a login query with an answer that specifies which field is incorrect, the server should respond with a message that simply says the login credentials aren’t valid. Instead of saying:
‘username does not exist’
It could read
‘username/password is incorrect' or ‘the login credential is not valid’
In this way, the attacker cannot tell which of the entries was correct or incorrect, but this will only work for surface-level attacks.
In order to cover server response time-based attacks, the web application developers should design the program in such a way that it takes random time frames to respond to a request. So regardless of whether the user input is correct or incorrect, the server takes its own time in sending a response. In this way, there is no time difference for the attacker to use to their advantage.