Username Enumeration

Overview

User enumeration can be done on login portals, getting errors like "Incorrect Passowrd" when a user exists and "User Doesn't Exist" when a user doesn't exist.

The Likelihood of these attacks are high, but the Impact of them are low as long as other security measures are in place.

A simple fix is to synchronize both valid and invalid user error messages

Example 1

Username enumeration via a Forgot Password Feature
Evidence
Remediation

Example 2

User enumeration via Onboarding page
Evidence and Remediation
PreviousInformation DisclosureNextDefault Web Pages

Last updated

Was this helpful?