Penetration testing results:
Risk Rating: LOW
Results:
The web application responses allow an attacker to enumerate usernames.
Issues:
By reading the application responses an attacker can programmatically discern when they have guessed a valid
username. They can then generate a username list to use in a password cracking attack.
Recommendations:
Provide only a general error message when a correct or incorrect username is entered. For example, “If your username
was found on file, we will send you a password reset email.”
Release : 14.3 CP2
Component : 14.3 CP2
For example., in Identity Portal if you enter an invalid userID, Portal returns "Your userID is incorrect". This gives some information to an attacker. They know now the userID is wrong and could continue to try with a brute force attack. Instead a more general and generic message should be used to not give a potential attacker any information.
Resolved in 14.4.1 which will be released ETA early December 2021. This will contain a more generic error for user and password login.