Support Article

Enumeration in Login Facility

SA-36392

Summary



The web application returned different responses when a valid and invalid username was submitted through the login form.

By means of username guessing techniques or an automated username brute-force script an attacker can gain a list of valid users for the application, meaning they only then require a password to gain unauthorized access.

The login page identified was susceptible to username enumeration, providing a different permissive error response when a valid username was used.

User is on SSO login screen.

Error Messages



"Error authenticating testuser: This user must use external authentication".


Steps to Reproduce



The application uses external authentication:

1. Enter an invalid operator name and password on login screen. The error says "The information you entered was not recognized".
3. Enter a valid operator Id, that is, external authentication box ticket on operator id record) testuser & invalid password.
The error says "Error authenticating testuser: This user must use external authentication".


Root Cause



A defect in Pegasystems’ code or rules.

Resolution



Apply HFix-33378.

Published April 12, 2017 - Updated April 25, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.