Add Specific ASVS Item Addressing User Enumeration Vulnerabilities #1741
Comments
|
What risk or attack scenario you would like to take down with the requirement? |
elarlang
added
the
1) Discussion ongoing
|
The primary risk that we are addressing with this requirement is the potential for an attacker to enumerate and identify valid usernames or user IDs within the application. This presents multiple concerns: Phishing and Social Engineering: Armed with a list of valid usernames or emails, an attacker can craft more convincing phishing campaigns. By targeting actual users of a service, the success rate of phishing attempts can increase. Data Leakage: In some scenarios, the very knowledge of a specific individual being a user of a certain application can be considered sensitive information. For example, being able to confirm that a particular email address is registered on a healthcare or financial site might leak personal data about that individual's affiliations or activities. Chaining Vulnerabilities: User enumeration, while seemingly benign on its own, can be a part of a larger chain of vulnerabilities. An attacker leveraging multiple vulnerabilities can potentially cause more significant harm when they have knowledge of valid users. |
|
For me basically the only reasonable point is the "data leakage" example. Phising campaigns (in general) feels a bit more out of ASVS scope. Nowadays it's widespread solution that username is email address, and there is plenty of ways to figure them out in general. Against mass-requests there are anti-automation rules. If there is self-registration functionality and there is free form of choosing username - how do you provide the service without letting users know, that certain username is taken? If username is an email address, maybe there is possibility to send some abstract message that "Check your email for activation". (Genral feedback) I would like to see more precise and technical examples, "may cause more harm" does not carry any information for me. |
|
Vision from my side: I don't see it as requirement for improving authentication (proposed 2.X.X). Only value here is information leakage (8.(1 or 3).X) - the fact that certain user/email is using the application. The problem is, you can not always hide it - maybe usernames or emails are diplayed somewhere by business logic rules - which also means we can not require hiding it for everyone and for every case. To watch it as information leakage, I think it also covers other pointed out scenarios like phising, as this acticity just using the information leakage but it's not vector against the application itself. |
|
Hi @ImanSharaf, just a reminder to always search for issues before you open new ones :) In this case, I gave an opinion similar to what @elarlang wrote above. As @elarlang wrote above, I agree that this could be a data leakage/information disclosure issue where being able to discover the existence of a single user in an application (e.g. abortion clinic website) would be considered a significant breach of confidentiality/privacy. Can you think of a relevant requirement text? |
|
@tghosth - before requirement text, we should finding agreement and understanding, is it actually reachable. Like my comments here: #1741 (comment) |
|
I agree with @elarlang on this one. Knowing someone's username is not really an attack vector or a vulnerability on its own. We had extensive discussions with colleagues and clients before and this is usually not an issue we report on a pentest as a finding unless we were able to chain multiple vulnerabilities (which are more impactful than username enumeration) that could lead to a user account being compromised. The rationality was anyone could figure out your username/email if it is let's say firstname.lastname@domain.org, so that doesn't really stop an attacker to enumerate users. What stops them are other controls behind that. And actually, some systems out there design it that way to prevent frustration from users whenever registering for a new account if there are generic error messages it gets confusing. I feel like if ever we would like to focus on improving the authentication mechanisms, we should focus on other controls (such as account lockout to deter brute force attacks, enforcing MFA, etc). |
|
Counterpoint:
Many financial sites at the enterprise management level do not allow you to pick a username, they choose one for you that is password like, a great defense against credential stuffing.
Also, sites like PG&E here in California allow you to shut down your email address as a username and select one yourself.
These controls are for a reason and help stave off credential stuffing.
Username unumeration is classified as an AuthN level attack.
|
|
Well, to the only defense against username-password authentication is to not use only username-password for authentication. For comparison for Jim - if in Estonia you want log in to a internet bank or to some government related sites, you can not use username-password combination anywhere. In general I agree, that if an attacker knows the username, it makes attacker's life easier, but I it's not trivial to build a requirement to require hiding it for everyone and for every case. Email address as username is too widespread solution. Or Jim want to say, that authentication to Gmail is problematic as you use your email address as username? |
|
All I am saying is those services that stop or prevent username harvesting by using obscure/non-public usernames, give users a chance to not use an email address, do not display usernames and have a non-username display name, or assign password like usernames, or use biometrics for the username…
…are more secure than those who do not.
Developers should be considering these options.
|
Yes, developers (or security analyst) should consider this as option. But at the moment I can not see the material for requirement, what everyone must do. |
|
We have ASVS Requirement: Simultaneously, there's a recommendation in the Authentication Cheat Sheet, which advises displaying a generic error message in different authentication scenarios, even when: -The user ID or password is incorrect. BUT the current conversation is mostly about not wanting to use a standard message...
Does this make sense? |
Current issue is not limited to username leakage from error messages, but in general - application should hide is some user registered there or not. Idea is nice but taking into account widespread solution to use email address as user-name, makes it hard to provide good and "fits for all" requirement for that. |
|
Maybe I provide context with some parallel issue. Let's say application keeps files in public folder, those are accessible with HTTP request but actually require authorization. For the folder is available directory listing. We have requirement for folder listing, as unintended information leakage:
If we disable folder listing, we don't fix authorization problem for accessing files. It just closes one (main) source of information which files are there, but the problem in the application still exists. The same is with username enumeration from authentication perspective - practically hiding usernames won't compensate problems with authentication. At the same time, it does not make sense to make attackers life easier and do not reveal information which is not intended to be public. If to use example of V14.3.4, maybe something like (from information leakage perspective):
|
|
Definitely! The very first message in this issue is about potential leakage of information if some user is registered in a system or not through the error messages. Some potential places where the disclosure of whether a user is registered or not may occur:
For the 3d one we have 2.2.8 requirement. What about 1st and 2d? What if we add them to 2.2.8? 2.2.8. Verify that all failed authentication challenges respond in the same way:
|
|
I agree it makes sense to change 2.2.8 to cover more cases. But now we kind of have 2 parallel topics: to hide the fact that this user is registered in the application at all and to hide what went wrong during authentication (2.2.8 improvement). |
|
I can't think of any other reason to have 2.2.8 other than to hide the fact that a user with that login is already registered. In my view, 2.2.8. (after extending) would cover it for applications without a self-registration.
V8.X.X sounds good for me. It would help highlighting the problem of information leakage during registration in self-registration applications, among other ways of revealing of user information. |
|
In ASVS v3.0.1 there was requirement: |
|
Since requirement 2.18 was removed due to deprecation (#236), I suggest removing requirement 2.2.8 as it makes no sense apart from 2.18 |
|
Good investigation :) I agree, it does not make sense or give meaningful impact from authentication point of view and this is the argument from NIST. Here I watch it as information leakage, which can be used against authentication attacks, but where mentioned (NIST, #236) MFA need to take away the attack vector. |
|
I agree that not using email as an email address is probably more of a "should do" rather than a "must do" so it isn't really relevant for ASVS. I can only really repeat my comment from above: #1741 (comment)
Other than that, I don't think we need requirements for this. |
but we already have requirement for that and I agreed (#1741 (comment)) it can be finetuned like @belalena proposed in #1741 (comment) to cover it more widely than written at the moment.
Other option is to delete it. Or is there any other good reason to have 2.2.8? |
|
Ok, I think I understand better now. What if we were to expand 2.2.8 and bump it up to L3 as I think it is a hard requirement
|
|
@ImanSharaf @belalena do you have any comments on the requirement proposal in the previous comment? |
|
Just a note that in the proposed requirement text, there is no closing bracket for the opening one. |
|
Thanks I fixed that bracket |
|
@tghosth all good! |
elarlang
added
the
5) awaiting PR
|
By content it's V8 requirement. Should we keep it in V2 together with authentication requirements, or should we move it to V8? |
elarlang
removed
the
5) awaiting PR
|
I think we should keep it as V2 because not everything in the requirement is strictly error related |
|
V8 is sensitive data. The fact that the user is registered to a site, can be considered as sensitive information. |
|
Sorry, I got confused with V7 😂😂. Nevertheless I think it should stay with AuthN because it is quite specific |
The current ASVS items under category 2 don't explicitly address user enumeration vulnerabilities that arise from different responses given by the application during authentication attempts (e.g., "This user doesn't exist" vs. "Incorrect password").
Proposed Change
Add a new ASVS item under category 2 that explicitly addresses user enumeration during the authentication process.
Draft for the new ASVS item:
2.X.X Verify that the application provides generic error messages during the authentication process to prevent user enumeration vulnerabilities. Regardless of the authentication failure reason, responses such as "Invalid username or password" should be used.
Justification
User enumeration vulnerabilities allow attackers to determine if a username or email is registered with the service. This vulnerability can provide attackers with a starting point for brute force attacks, phishing campaigns, and other malicious activities targeting valid users. Addressing this in the ASVS will raise awareness among developers and security auditors about this often-overlooked vulnerability.
The text was updated successfully, but these errors were encountered: