+1
Pending Review

Limit Logon Failure Response to only "Login failed; Invalid userID or password"

Donato - Agio 2 years ago updated 2 years ago 2

Our internal security team has identified that the Control portal is not currently compliant with OWASP (Open Web Application Security Project) Top 10 Application Security Risks.  Per the ticket I opened we are submitting this feature request, which is actually to limit the response dialog to only "Login failed; Invalid userID or password"

Details:

Authentication and Error Messages

Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.


Authentication Responses

An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.


Incorrect Response Examples (All Currently Present in Control)

"Login for User foo: invalid password"

"Login failed, invalid user ID"

"Login failed; account disabled"

"Login failed; this user is not active"


Correct Response Example

"Login failed; Invalid userID or password"


Reference:

The standard from OWASP is A2:2017 Broken Authentication - https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

From their cheat sheet section 1.1.8 Authentication and Error messages - https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Available in Version:
+1

Hi Donato, 

Thanks for flagging this. To be compliant, we updated password/username response to one notification only, similar to your suggestion, in a recent update - 6.8. Are you using an older version of Control? 

Thanks!

Hi Caitlin - Thanks for following up. I believe we are on 6.6 right now.  We'll run through the upgrade to 6.8 this week and i'll let you know if that resolves it for us.