Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usernames Enumeration #37

Closed
Spomky opened this issue Mar 12, 2019 · 6 comments
Closed

Usernames Enumeration #37

Spomky opened this issue Mar 12, 2019 · 6 comments
Assignees
@Spomky
Labels
enhancement New feature or request

Comments

@Spomky
Copy link
Contributor

Spomky commented Mar 12, 2019
edited
Loading

Is your feature request related to a problem? Please describe.
At the moment, the firewall triggers an error when a username does not exist. This could be used by an attacker to find usernames and associated key descriptors.

Describe the solution you'd like
No error should be triggered if the username does not exist.
A list of fake key descriptors should be generated. This list should be always the same for a given username.
@Spomky Spomky added the enhancement New feature or request label Mar 12, 2019
@Spomky Spomky self-assigned this Mar 12, 2019
@Spomky Spomky changed the title Usenames discovery Usernames discovery Mar 13, 2019
@Spomky Spomky changed the title Usernames discovery Usernames Enumeration Mar 13, 2019
@Spomky Spomky mentioned this issue Mar 18, 2019
Closed
@Spomky
Copy link
Contributor Author

Spomky commented Apr 14, 2019

Partially fixed in Json Firewall (a9cd2f4)

@Spomky
Copy link
Contributor Author

Spomky commented Apr 25, 2019

Recommendations added to the documentation

@Spomky Spomky closed this as completed Apr 25, 2019
@AlexH-HankIT
Copy link

Is this still relevant with the current version? Looks like by default it is still possible to use this mechanism to determine which users do and do not exist.

@Spomky
Copy link
Contributor Author

Spomky commented Mar 3, 2020

Yes it is and there is no efficient way to prevent it.
The Fake User Entity Support mentionned above has been removed in the last major release as this feature creates lot of issues.
Best is to let users to choose a username without any constraint and recommend them to avoid personal data e.g. real name or e-mail address.

@AlexH-HankIT
Copy link

OK, in my use case the username is pre determined anyway. Thanks for the quick response.

@github-actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Spomky Spomky

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Spomky @AlexH-HankIT