rspec/rules/S5804/description.adoc

User enumeration refers to the ability to guess existing usernames in a web application database. This can happen, for example, when using "_sign-in/sign-on/forgot password_" functionalities of a website.

When an user tries to _sign-in_ to a website with an incorrect username/login, the web application should not disclose that the username doesn't exist with a message similar to "_this username is incorrect_", instead a generic message should be used like "_bad credentials_", this way it's not possible to guess whether the username or password was incorrect during the authentication.

If a user-management feature discloses information about the existence of a username, attackers can use brute force attacks to retrieve a large amount of valid usernames that will impact the privacy of corresponding users and facilitate other attacks (phishing, password guessing etc ...).
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`User enumeration refers to the ability to guess existing usernames in a web application database. This can happen, for example, when using "_sign-in/sign-on/forgot password_" functionalities of a website.`

			`When an user tries to _sign-in_ to a website with an incorrect username/login, the web application should not disclose that the username doesn't exist with a message similar to "_this username is incorrect_", instead a generic message should be used like "_bad credentials_", this way it's not possible to guess whether the username or password was incorrect during the authentication.`

			`If a user-management feature discloses information about the existence of a username, attackers can use brute force attacks to retrieve a large amount of valid usernames that will impact the privacy of corresponding users and facilitate other attacks (phishing, password guessing etc ...).`