User Accounts Enumerable #495
Labels
security
Anything that is possibly security related
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview:
The application's response when using the forgot password functionality on the Administrator login page allows for account enumeration. The user is required to enter an e-mail in order to reset their password. If an invalid email account is used an error is returned to the user.
Severity: LOW
An attacker may generate a list of known-valid accounts and then perform a password guessing attack to compromise an account in order to gain unauthorized access to the application.
Recommendation:
The application should be modified to display the same message to the user initiating the password reset process whether the username is matched or not. When the user submits the username or email address, the application should respond with an identical message for both success and failure. For example, the application could use a message such as "A secure link to reset your password has been sent via email if the username and email address matched your account information."
Reference:
https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication
The text was updated successfully, but these errors were encountered: