User Account Enumeration


Description

The application responds to requests with information that indicates whether an account exists or not. Attackers can user this information to enumerate user accounts that can be used as a part of a brute force attack against the application.

Impact

Attackers use information such as login error messages to enumerate usernames within the application. Attackers can use harvested accounts to launch additional attacks including phishing, brute force guessing of passwords, or denial of serving by intentionally locking valid users out of their accounts.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply