Enumeration in Login Facility
SummaryThe web application returned different responses when a valid and invalid username was submitted through the login form.
By means of username guessing techniques or an automated username brute-force script an attacker can gain a list of valid users for the application, meaning they only then require a password to gain unauthorized access.
The login page identified was susceptible to username enumeration, providing a different permissive error response when a valid username was used.
User is on SSO login screen.
Error Messages"Error authenticating testuser: This user must use external authentication".
Steps to ReproduceThe application uses external authentication:
1. Enter an invalid operator name and password on login screen. The error says "The information you entered was not recognized".
3. Enter a valid operator Id, that is, external authentication box ticket on operator id record) testuser & invalid password.
The error says "Error authenticating testuser: This user must use external authentication".
Root CauseA defect in Pegasystems’ code or rules.
Published April 12, 2017 - Updated April 25, 2017