Security BSides2025
Open in YouTube ↗Faces in the Fog: Identifying Users through Unconventional Means
BSidesSLC80 views47:2810 months ago
This talk demonstrates how to identify and enumerate users in web applications by analyzing unconventional indicators such as error messages, response timing, and application-specific logic. It explores how developers often inadvertently leak sensitive user information through insecure API endpoints, password reset flows, and account management features. The speaker provides a practical methodology for using LLMs to automate the analysis of HTTP traffic to identify these enumeration vulnerabilities. A custom Python script is demonstrated to automate the extraction of user data from application responses.
✓ Has Demo✓ Has Code✓ Tool Released
Vulnerability Classes
Target Technologies
All Tags
user-enumerationapi-securityweb-application-securityburp-suitellmautomationosintinformation-disclosureauthentication-bypasspassword-resettiming-attackerror-based-enumerationpythonred-teamingreconnaissancedata-leakageowasp-a07-identification-authentication-failuresowasp-a01-broken-access-controlt1592-gather-victim-org-informationt1593-search-open-technical-databases
Part Of
Up Next From This Conference
Similar Talks
Inside the FBI's Secret Encrypted Phone Company 'Anom'
DEFCONConference
backdoorandroid+26
1.7M·39:23·over 1 year ago
Kill List: Hacking an Assassination Site on the Dark Web
DEFCONConference
pythoninsecure-direct-object-reference+33
735K·32:55·6 months ago
Hiding in Plain Sight: Next-Level Digital Privacy
BSidesSLC
simpleloginprivacy.com+43
329K·56:24·6 months ago