Understanding account enumeration, the video tutorial edition

I've been running my Hack Yourself First workshop all over the world where I talk to software developers about various security risks which they then get to exploit firsthand. It's a lot of fun and very hands on and practical which inevitably means spending time looking at real world implementations of security.

After running a couple of these workshops last week, I wrote Website enumeration insanity: how our personal data is leaked which highlighted a couple of really bad examples of enumeration that attendees had discovered. That Strawberrynet one in particular... wow! But the post did lead to some questions about how to properly protect against enumeration risks so as I've done in the past with modules from the workshop, I've just recorded a walkthrough of some of the stuff I normally cover to help explain both the issue and the defences. This includes a video demo of the problem with Strawberrynet should anyone be in any doubt whatsoever about the problem at hand:

If you enjoyed the style of how I explained the enumeration risk, you might also like the following which are again, both from my Hack Yourself First workshop:

  1. Understanding CSP, the video tutorial edition
  2. Understanding CSRF, the video tutorial edition
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals