User Enumeration
Description
Often, web applications reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack. OWASP
Recommendation
Ensure the application returns consistent generic error messages in response to invalid account name, password or other user credentials entered during the log in process. Ensure default system accounts and test accounts are deleted prior to releasing the system into production (or exposing it to an untrusted network). OWASP
References
- OWASP: Testing for Account Enumeration and Guessable User Account
- CWE-200
- OWASP 2007-A6
- OWASP 2021-A1