-
-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usernames Enumeration #37
Comments
Partially fixed in Json Firewall (a9cd2f4) |
Recommendations added to the documentation |
Is this still relevant with the current version? Looks like by default it is still possible to use this mechanism to determine which users do and do not exist. |
Yes it is and there is no efficient way to prevent it. |
OK, in my use case the username is pre determined anyway. Thanks for the quick response. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Is your feature request related to a problem? Please describe.
At the moment, the firewall triggers an error when a username does not exist. This could be used by an attacker to find usernames and associated key descriptors.
Describe the solution you'd like
No error should be triggered if the username does not exist.
A list of fake key descriptors should be generated. This list should be always the same for a given username.
The text was updated successfully, but these errors were encountered: