Username Enumeration

Overview

User enumeration can be done on login portals, getting errors like "Incorrect Passowrd" when a user exists and "User Doesn't Exist" when a user doesn't exist.

The Likelihood of these attacks are high, but the Impact of them are low as long as other security measures are in place.

A simple fix is to synchronize both valid and invalid user error messages

Example 1

Example 2

PreviousInformation Disclosure NextDefault Web Pages

Last updated 10 months ago

Was this helpful?