Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5804

Allowing user enumeration is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure allowing user enumeration is safe here.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources, Test Sources
    • CWE:
      CWE-200
    • OWASP:
      A2

      Description

      User enumeration refers to the ability to guess existing usernames in a web application database. This can happen, for example, when using "sign-in/sign-on/forgot password" functionalities of a website.

      When an user tries to "sign-in" to a website with an incorrect username/login, the web application should not disclose that the username doesn't exist with a message similar to "this username is incorrect", instead a generic message should be used like "bad credentials", this way it's not possible to guess whether the username or password was incorrect during the authentication.

      If a user-management feature discloses information about the existence of a username, attackers can use brute force attacks to retrieve a large amount of valid usernames that will impact the privacy of corresponding users and facilitate other attacks (phishing, password guessing etc ...).

      Ask Yourself Whether

      • The application discloses that a username exists in its database: most of the time it's possible to avoid this kind of leak except for the "registration/sign-on" part of a website because in this case the user must choose a valid username (not already taken by another user).
      • There is no rate limiting and CAPTCHA protection in place for requests involving a username.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      When a user performs a request involving a username, it should not be possible to spot differences between a valid and incorrect username:

      • Error messages should be generic and not disclose if the username is valid or not.
      • The response time must be similar for a valid username or not.
      • CAPTCHA and other rate limiting solutions should be implemented.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5805 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              eric.therond Eric Therond
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: