Task #11402: Pentest_Web_ADMIN (L1) - Username Enumeration - BSN CDB Support - Penril Support System

Task #11402

Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation

Pentest_Web_ADMIN (L1) - Username Enumeration

Added by Nurul Athira Abdul Rahim almost 4 years ago. Updated about 3 years ago.

Status:

Closed - End of life cycle

Start date:

December 01, 2020

Priority:

Normal

Due date:

Assignee:

Nurul Athira Abdul Rahim

% Done:

Category:

Pentest

Spent time:

Target version:

Description

Web applications often reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, when wrong credentials are submitted, a message that states that either the username is present on the system or the provided password is wrong is returned. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack.

Solution given :

Ensure the application returns consistent generic error messages in response to invalid account name, password or other user credentials entered during the log in process. The messages need to strike the balance between being too cryptic and not being cryptic enough. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.

pentest-ibam login 1.jpg (126 KB) Nurul Athira Abdul Rahim, December 03, 2020 15:10

pentest-ibam login 2.jpg (138 KB) Nurul Athira Abdul Rahim, December 03, 2020 15:10

History

#1 Updated by Najmi Pasarudin almost 4 years ago

Assignee changed from Najmi Pasarudin to Nurul Hasnieza Bt Mohd Zamri

#2 Updated by Nurul Athira Abdul Rahim almost 4 years ago

File pentest-ibam login 1.jpg added
File pentest-ibam login 2.jpg added

To update error message.

Users cannot know whether the username or password entered is correct or not.

#3 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago

Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim

Hi Athira,
based on Rahmat Aris, they want to keep IBAM Login function.

#4 Updated by Nurul Athira Abdul Rahim over 3 years ago

Status changed from New - Begin Life Cycle to Pending Customer Feedback

#5 Updated by Nurul Athira Abdul Rahim about 3 years ago

Status changed from Pending Customer Feedback to Closed - End of life cycle

Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report

Also available in: Atom PDF

B - Production Support » BSN CDB Support

Issues