026 – User enumeration

Description

The system provides different responses for existent and non-existent users, allowing an attacker to enumerate valid users via error messages, response times, frames count, among other techniques.

Impact

Obtain valid application usernames.

Recommendation

Set the same server response for existent and non-existent users.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

15 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 225 - Proper authentication responses

Fixes

• Csharp
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/07