User Enumeration

Description

Username enumeration is a vulnerability that occurs when an attacker can determine if usernames are valid or not. Most commonly, this issue occurs on login forms, where an error similar to “the username is invalid or in use” is returned.

Bussines Impact

Although username enumeration is not itself present as a high-risk issue, it does provide an attacker valuable information for further attacks.

Recommendation

Make sure to return a generic “No such username or password” message when a login failure occurs. Make sure your “forgotten password” page does not reveal usernames. Avoid having your site tell people that a supplied username is already taken.

More Details

An attacker can exploit this behavior by using lengthy lists of common usernames, known names, and dictionary words to observe the application response to all.

Reference

https://cwe.mitre.org/data/definitions/200.html

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »