225 – Proper authentication responses

Summary

System responses to authentication failures must not indicate which part of the authentication was incorrect.

Description

Authentication forms are one of the most publicly accessible parts of an application, which makes them more susceptible to be attacked. Most authentication mechanisms require only a username and a password. If the responses to authentication attempts indicate which authentication parameter was incorrect, attackers may be able to obtain a list of valid usernames (user enumeration) that they can use in brute force attacks.

Supported In

Advanced: True

References

• CWE-203. Observable discrepancy
• PDPO-S1_5. Information to be generally available
• CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
• CMMC-AC_L2-3_1_9. Privacy & security notices
• CMMC-AU_L2-3_3_4. Audit failure alerting
• IEC62443-IAC-1_12. System use notification
• WASSEC-6_2_1_1. Authentication - Brute force
• ISSAF-T_19_2. Web application assessment - Global Countermeasures (server-side)
• ISSAF-V_12. Application security - Source code auditing (error handling)
• NIST800171-1_9. Provide privacy and security notices
• NIST800171-5_11. Obscure feedback of authentication information
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
• NIST-PR_AA-03. Users, services, and hardware are authenticated
• NIST-RS_MA-01. The incident response plan is executed in coordination with relevant third parties once an incident is declared

Weaknesses

• 331 – User Enumeration - Wordpress
• 026 – User enumeration

Last updated

2024/03/05