Vulnerabilities/

User Enumeration

Severity:: Medium

Description

User Enumeration occurs when web applications inadvertently reveal whether a username exists on the system, either due to misconfiguration or design decisions. Attackers exploit this by gathering a list of valid usernames to launch targeted attacks, such as brute force or default username and password attacks.

Recommendation

To prevent User Enumeration, ensure the application consistently returns generic error messages for invalid account names, passwords, or other user credentials during the login process. Additionally, delete default system accounts and test accounts before deploying the system into production or exposing it to untrusted networks.

References

OWASP: Testing for Account Enumeration and Guessable User Account
OWASP: Account Enumeration
CWE-200
CWE-209
CAPEC-118
CAPEC-49
OWASP 2021-A5

Related Issues

WordPress User Enumeration - Vulnerability
Microsoft IIS Tilde Directory Enumeration - Vulnerability
Unreferenced Login Page Found - Vulnerability
Apache server-info enabled - Vulnerability

Tags:: Information Disclosure; Brute Force

Anything's wrong? Let us know Last updated on May 13, 2024