You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible to collect valid email addresses by interacting with the "Forgot Password" function of the
application. This vulnerability is useful to increase the efficiency of brute force attacks. If the email is known, it
is easier to find the corresponding password. The affected URL is /Account/ForgotPassword.
With the "Forgot Password" function, the security consultants were able to enumerate valid email addresses as
the function returns "Cannot find the given email" error, when there is no user registered with the provided e-
mail address. Figure 12 shows the error message received if the email is not registered.
If a user is registered with the provided email address, the application informs them that a recovery email has
been sent as shown below.
This behavior is user-friendly, and it's a tradeoff between being user-friendly and security-friendly. The following popular websites all show user-friendly warning messages about user existence. So this is a worldwide accepted behavior.
Solution:
We can give this security level as an option. By default current behaviour will be valid. With an extra configuration, we can change the response of "forget my password request". If this option is enabled, we shouldn't show positive or negative responses if the user enters a valid email or not. Always show a generic message as the following :
If the provided e-mail address is registered in the system, we will send a password reset link. If you don't get an email within a few minutes, please check your spam box or try again later.
The text was updated successfully, but these errors were encountered:
Security vulnerability description:
It is possible to collect valid email addresses by interacting with the "Forgot Password" function of the
application. This vulnerability is useful to increase the efficiency of brute force attacks. If the email is known, it
is easier to find the corresponding password. The affected URL is
/Account/ForgotPassword
.With the "Forgot Password" function, the security consultants were able to enumerate valid email addresses as
the function returns "Cannot find the given email" error, when there is no user registered with the provided e-
mail address. Figure 12 shows the error message received if the email is not registered.
If a user is registered with the provided email address, the application informs them that a recovery email has
been sent as shown below.
Ref: https://portswigger.net/blog/preventing-username-enumeration
Explanation for this security issue:
This behavior is user-friendly, and it's a tradeoff between being user-friendly and security-friendly. The following popular websites all show user-friendly warning messages about user existence. So this is a worldwide accepted behavior.
Solution:
We can give this security level as an option. By default current behaviour will be valid. With an extra configuration, we can change the response of "forget my password request". If this option is enabled, we shouldn't show positive or negative responses if the user enters a valid email or not. Always show a generic message as the following :
The text was updated successfully, but these errors were encountered: