User Enumeration

Description

During the scan, Kayran managed to find a User Enumeration vulnerability.
User Enumeration is a vulnerability that occurs when an attacker can determine if usernames are valid or not. Most commonly, this issue occurs on login forms, where an error similar to “the username is invalid or in use” is returned.

Although username enumeration is not considered as a high-risk issue, it does provide the attacker with valuable information for further attacks.
It can also assist the attacker in getting users credentials.

An attacker can exploit this behavior by using lengthy lists of common usernames, known names, and dictionary words to observe the application response to all.

Recommendation

Make sure to return a generic “No such username or password” message when a login failure occurs.
Make sure your “forgotten password” page does not reveal any usernames.
Avoid having your site telling people that a supplied username is already taken.

References

https://cwe.mitre.org/data/definitions/200.html

< Return to all Vulnerabilities

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 30,000+ vulnerabilities.Kayran’s mission is to make

Read More »

Explaining API

We’ve talked about API’s Vulnerability in here, but i feel like there’s much more to talk about and explain since this is a big and

Read More »