Task #11402
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_ADMIN (L1) - Username Enumeration
Status: | Closed - End of life cycle | Start date: | December 01, 2020 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 0% | |
Category: | Pentest | Spent time: | - | |
Target version: | - |
Description
Web applications often reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, when wrong credentials are submitted, a message that states that either the username is present on the system or the provided password is wrong is returned. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack.
Solution given :
Ensure the application returns consistent generic error messages in response to invalid account name, password or other user credentials entered during the log in process. The messages need to strike the balance between being too cryptic and not being cryptic enough. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.
History
#1 Updated by Najmi Pasarudin almost 4 years ago
- Assignee changed from Najmi Pasarudin to Nurul Hasnieza Bt Mohd Zamri
#2 Updated by Nurul Athira Abdul Rahim almost 4 years ago
- File pentest-ibam login 1.jpg added
- File pentest-ibam login 2.jpg added
To update error message.
Users cannot know whether the username or password entered is correct or not.
#3 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
Hi Athira,
based on Rahmat Aris, they want to keep IBAM Login function.
#4 Updated by Nurul Athira Abdul Rahim over 3 years ago
- Status changed from New - Begin Life Cycle to Pending Customer Feedback
#5 Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from Pending Customer Feedback to Closed - End of life cycle
Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report