This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)

From OWASP
Revision as of 14:55, 28 July 2013 by Andrew Muller (talk | contribs) (Andrew Muller moved page Testing for Account Enumeration and Guessable User Account (OWASP-AT-002) to Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004): Align with common number and cross-product correlation initiative)

Jump to: navigation, search

Summary

Most systems are provisioning with default and test accounts to aid the installation, configuration and testing of applications. These accounts are often overlooked when the system enters production. User account names are often structured and valid account names can easily be guessed. Other times, valid account names can be searched for using internet search engines.

Test objectives

Verify the structure of account names Verify the application's response to valid and invalid account names


How to test

Example

Tools

References

Remediation