From 789847d121cdc7e09a4b27a1c4af0ac8a365692c Mon Sep 17 00:00:00 2001 From: Matt Kocaj Date: Fri, 22 Jul 2016 09:45:17 +0800 Subject: [PATCH] prevent username enumeration --- security-checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-checklist.md b/security-checklist.md index 40ddcfb..3de034e 100644 --- a/security-checklist.md +++ b/security-checklist.md @@ -17,7 +17,7 @@ - [ ] Check for randomness of reset password token in the emailed link or SMS. - [ ] Set an expiration on the reset password token for a reasonable period. - [ ] Expire the reset token after it has been successfully used. - +- [ ] Ensure that login and password reset pages prevent [enumeration attacks](https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)). ##### USER DATA & AUTHORIZATION - [ ] Any resource access like, `my cart`, `my history` should check the logged in user's ownership of the resource using session id.