ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Pen test results - Username Enumeration

book

Article ID: 228118

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Penetration testing results:

Risk Rating: LOW

Results:
The web application responses allow an attacker to enumerate usernames.

Issues:
By reading the application responses an attacker can programmatically discern when they have guessed a valid 
username. They can then generate a username list to use in a password cracking attack.

Recommendations:
Provide only a general error message when a correct or incorrect username is entered. For example, “If your username 
was found on file, we will send you a password reset email.”

Cause

For example., in Identity Portal is you enter an invalid userID, Portal returns "Your userID is incorrect".  this gives some information to an attacker.  They know now the userID is wrong and could continue to try with a brute force attack.  Instead a more general and generic message should be used to not give a potential attacker any information. 

Environment

Release : 14.3 CP2

Component : 14.3 CP2

Resolution

Resolved in 14.4.1 which will be released ETA early December 2021.  This will contain a more generic error for user and password login.