Credential Validation Methodology

[Vipee624]

I would love to understand how it is validating if a user or email is taken? There are some usecases I have where the methodology matters.

[kaifcodec]

Email scan:

The validation methodology employs a prioritized hierarchy of techniques to determine account existence:

• Registration Enumeration: Simulates a signup attempt to capture server-side validation errors (e.g., "Email already registered"). This is our primary and most accurate method.

• Login Response Leakage: Analyzes error messages from login attempts with dummy passwords. Distinguishing between "User not found" and "Incorrect password" confirms the account's presence.

• Public API Endpoints: Leverages official or internal JSON endpoints used by mobile apps and web frontends to verify account status or profile availability.

• Password Recovery (Last Resort): Checks the behavior of forgot-password forms. If the system confirms a reset link was sent or provides a specific "User found" message, the account is validated.

Each method is executed via non-destructive HTTP requests, observing server behavior without finalizing registrations or modifying account data.

---

Username scan:

We validate usernames by analyzing the interaction between the request and the platform's specific response behavior:

• Request Strategy: We send targeted GET or POST requests using browser-imitation headers (User-Agent, Referer) to bypass bot detection.
• Response Handling:
  • Beyond 200/404: We don't just trust a 200 OK. Many sites return a 200 for a "User Not Found" page. We use String Fingerprinting to search the response body for specific success markers (e.g., <title>Profile - ...) or error messages.
  • API Logic: For JSON-based sites, we ignore the HTTP code and parse the Internal Status Code (e.g., checking if the JSON contains "error": null vs "code": 404).
  • Redirect Detection: If a site redirects a non-existent user to the homepage, we identify the redirect URL to prevent a false positive.

[Vipee624]

Thank you so much! This is quite helpful.