User Enumeration
Impact: Medium
Description
User Enumeration occurs when web applications inadvertently reveal whether a username exists on the system, either due to misconfiguration or design decisions. Attackers exploit this by gathering a list of valid usernames to launch targeted attacks, such as brute force or default username and password attacks.
Recommendation
To prevent User Enumeration, ensure the application consistently returns generic error messages for invalid account names, passwords, or other user credentials during the login process. Additionally, delete default system accounts and test accounts before deploying the system into production or exposing it to untrusted networks.
References
- CWE-200
- CWE-209
- OWASP 2021-A5
- OWASP: Account Enumeration
- OWASP: Testing for Account Enumeration and Guessable User Account
👉 You might also like:
WordPress User Enumeration - Vulnerability
Application and Database Error - Vulnerability
Application Error - Vulnerability
Database Error - Vulnerability
Last updated on May 13, 2024