Details
Alert ID 40023
Alert Type Active
Status beta
Risk Informational
CWE 200
WASC 13
Technologies Targeted All
Tags OWASP_2017_A06
OWASP_2021_A05
WSTG-V42-IDNT-04
More Info Scan Rule Help

Summary

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue.

Solution

Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java