| Details | |
|---|---|
| Alert ID | 40023 |
| Alert Type | Active |
| Status | beta |
| Risk | Informational |
| CWE | 200 |
| WASC | 13 |
| Technologies Targeted | All |
| Tags |
OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-IDNT-04 |
| More Info |
Scan Rule Help |
Summary
It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue.
Solution
Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic.Other Info
References
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html
- https://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf
- https://cwe.mitre.org/data/definitions/204.html