Task #11410
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_CDB (L1) - Username Enumeration
Status: | Work Completed-End life cycle | Start date: | December 01, 2020 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Pentest | Spent time: | - | |
Target version: | - |
Description
Web applications often reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, when wrong credentials are submitted, a message that states that either the username is present on the system or the provided password is wrong is returned. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack.
Solution Given :
Ensure the application returns consistent generic error messages in response to invalid account name, password or other user credentials entered during the log in process. The messages need to strike the balance between being too cryptic and not being cryptic enough. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.
History
#1 Updated by Najmi Pasarudin almost 4 years ago
- Status changed from New - Begin Life Cycle to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Update already deployed to Production. Please find the SCP ID.
#2 Updated by Nurul Athira Abdul Rahim almost 4 years ago
- Status changed from Internal Testing to Work Completed-End life cycle
- % Done changed from 0 to 100
Tested and passed.
Updated on pentest doc.
Kindly refer issue log no 11221
SCP ID :##5519##