Description
During the scan, Cytrix managed to find a User Enumeration vulnerability.
User Enumeration is a vulnerability that occurs when an attacker can determine if usernames are valid or not. Most commonly, this issue occurs on login forms, where an error similar to “the username is invalid or in use” is returned.
Although username enumeration is not considered as a high-risk issue, it does provide the attacker with valuable information for further attacks.
It can also assist the attacker in getting users credentials.
An attacker can exploit this behavior by using lengthy lists of common usernames, known names, and dictionary words to observe the application response to all.
Recommendation
Make sure to return a generic “No such username or password” message when a login failure occurs.
Make sure your “forgotten password” page does not reveal any usernames.
Avoid having your site telling people that a supplied username is already taken.