This article is a part of our Web Security Knowledge Base (back to index)
Why Possible Username Enumeration can be dangerous
This means that your service is providing specific information on whether the username is valid or not. Therefore, based on differing HTTP responses, it may be possible to enumerate those usernames. This makes it greatly easier to find a valid combination of username and password with brute-force attacks against the system.
How to fix Possible Username Enumeration
Do not disclose details on whether or not the username is valid.
Create universal error message, page title, content, HTTP headers and redirection logic for failed authentication. Don’t differentiate and don’t give hints on which step, or which information was not valid.
How does ScanRepeat report Possible Username Enumeration
ScanRepeat looks for vulnerabilities on the login page or “forgot password” page. It identifies the urls where the HTTP response depends on whether the supplied username is valid or not. It reports every occurrence of such a vulnerability providing its URL and differences in the outputs for valid and invalid usernames.
Would you like to test your application now against this problem? Sign up for our free trialScan Your Web App Now