Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User enumeration at login #34

Closed
AlMaVizca opened this issue Apr 4, 2017 · 3 comments
Closed

User enumeration at login #34

AlMaVizca opened this issue Apr 4, 2017 · 3 comments

Comments

@AlMaVizca
Copy link

How do you see the idea of unify the messages USER_DOES_NOT_EXIST and INVALID_PASSWORD?

If they are split or in a different position somebody could do a User Enumeration.

Testing for User Enumeration and Guessable User Account
@jirikuncar
Copy link
Member

@krahser one can change the messages to be equal so the immediate thread is eliminated.

@AlMaVizca
Copy link
Author

IMHO it's not just the message, it's also the position in the DOM where the message is rendered.

@jirikuncar
Copy link
Member

@krahser then we should change the field validator to form validator.

@jirikuncar jirikuncar mentioned this issue Apr 4, 2017
Merged
lnielsen pushed a commit that referenced this issue Feb 7, 2022
@jwag956
HTTP Auth respects SECURITY_USER_IDENTITY_ATTRIBUTES (opr pallets-eco…
6e6f8d3 
…#439) (#34)

* HTTP Auth respects SECURITY_USER_IDENTITY_ATTRIBUTES

* add unit test
@lnielsen lnielsen closed this as completed Feb 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jirikuncar @AlMaVizca @lnielsen