Cornucopia - Ecommerce Website - AT 4
Sebastien can easily identify user names or can enumerate them.
This attack is often the result of one or more of the following:
- User names (IDs, account names) may be guessable, published elsewhere, or are simply email addresses
- Authentication and related mechanisms may indicate whether a username is valid or not (registration, password reset/recovery, username recovery, change password, change email address)
- Missing authentication failure detection
- Missing monitoring to identify attacks against multiple user accounts, utilizing the same password
Additionally another web or non-web application (e.g. mobile app, telephone service) that utilises the same credentials has one or more of the above problems.
NB: This card relates to user names. See AT 7 for the similar password cracking (brute forcing, dictionary attacks, guessing, credential stuffing, credential cracking).
|OWASP SCP||OWASP ASVS||OWASP AppSensor||CAPEC||SAFECODE|