Support Article
Enumeration in Login Facility
SA-36392
Summary
The web application returned different responses when a valid and invalid username was submitted through the login form.
By means of username guessing techniques or an automated username brute-force script an attacker can gain a list of valid users for the application, meaning they only then require a password to gain unauthorized access.
The login page identified was susceptible to username enumeration, providing a different permissive error response when a valid username was used.
User is on SSO login screen.
Error Messages
"Error authenticating testuser: This user must use external authentication".
Steps to Reproduce
The application uses external authentication:
1. Enter an invalid operator name and password on login screen. The error says "The information you entered was not recognized".
3. Enter a valid operator Id, that is, external authentication box ticket on operator id record) testuser & invalid password.
The error says "Error authenticating testuser: This user must use external authentication".
Root Cause
A defect in Pegasystems’ code or rules.
Resolution
Apply HFix-33378.
Published April 25, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.