Details
Alert Id 40023
Alert Type Active Scan Rule
Status beta
Risk Informational
CWE 200
WASC 13

Summary

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue.

Solution

Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic.

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java