This article is a part of our Web Security Knowledge Base (back to index)

Why Possible Username Enumeration can be dangerous

This means that your service is providing specific information on whether the username is valid or not. Therefore, based on differing HTTP responses, it may be possible to enumerate those usernames. This makes it greatly easier to find a valid combination of username and password with brute-force attacks against the system.

How to fix Possible Username Enumeration

Do not disclose details on whether or not the username is valid.

Create universal error message, page title, content, HTTP headers and redirection logic for failed authentication. Don’t differentiate and don’t give hints on which step, or which information was not valid.

How does ScanRepeat report Possible Username Enumeration

ScanRepeat looks for vulnerabilities on the login page or “forgot password” page. It identifies the urls where the HTTP response depends on whether the supplied username is valid or not. It reports every occurrence of such a vulnerability providing its URL and differences in the outputs for valid and invalid usernames.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free