ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Pen test results - Username Enumeration


Article ID: 228118


Updated On:


CA Identity Suite


Penetration testing results:

Risk Rating: LOW

The web application responses allow an attacker to enumerate usernames.

By reading the application responses an attacker can programmatically discern when they have guessed a valid 
username. They can then generate a username list to use in a password cracking attack.

Provide only a general error message when a correct or incorrect username is entered. For example, “If your username 
was found on file, we will send you a password reset email.”


For example., in Identity Portal is you enter an invalid userID, Portal returns "Your userID is incorrect".  this gives some information to an attacker.  They know now the userID is wrong and could continue to try with a brute force attack.  Instead a more general and generic message should be used to not give a potential attacker any information. 


Release : 14.3 CP2

Component : 14.3 CP2


Resolved in 14.4.1 which will be released ETA early December 2021.  This will contain a more generic error for user and password login.