Task #12559
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - Username Enumeration [LOW]
| Status: | Closed - End of life cycle | Start date: | November 08, 2021 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Penetration Test Issue | Spent time: | - | |
| Target version: | - |
Description
Web applications often reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, when wrong credentials are submitted, a message that states that either the username is present on the system or the provided password is wrong is returned. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack.
Solution provided by LGMS :
Ensure the application returns consistent generic error messages in response to invalid account name, password or other user credentials entered during the log in process. The messages need to strike the balance between being too cryptic and not being cryptic enough. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.
'Affected Module and URL:
[Login]
https://10.10.55.34:9444/bsn-admin-uat/common/Login.do
History
#1
Updated by Nurul Hasnieza Bt Mohd Zamri almost 3 years ago
- Status changed from New - Begin Life Cycle to Finished Development
- % Done changed from 0 to 80
Update error message username not found standardized to Invalid username or password.
#2
Updated by Nurul Hasnieza Bt Mohd Zamri almost 3 years ago
- Status changed from Finished Development to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
SIT has been deployed. Kindly retest.
#3
Updated by Nurul Athira Abdul Rahim almost 3 years ago
- File Admin L1 - Error message update.jpg added
- Status changed from Internal Testing to System Integration Test
- % Done changed from 80 to 90
Tested and passed on SIT
#4
Updated by Najmi Pasarudin over 2 years ago
- Status changed from System Integration Test to Pending Prod Deployment
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
#5
Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from Pending Prod Deployment to Development / Work In Progress
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#6
Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to System Integration Test
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Previous fix is wrong.
SIT/UAT deployed on 16/3/2022
#7
Updated by Nurul Athira Abdul Rahim 7 months ago
- Status changed from System Integration Test to Closed - End of life cycle
- % Done changed from 90 to 100
Closed for this and refer new 2023/2024 pentest report