312-50V11 · Question #1012
Calvin, a grey-hat hacker, targets a web application that has design flaws in its authentication mechanism. He enumerates usernames from the login form of the web application, which requests users to
The correct answer is B. Verbose failure messages. Login forms that specify which field is incorrect - username or password - allow attackers to enumerate valid usernames by observing differentiated error responses.
Question
Calvin, a grey-hat hacker, targets a web application that has design flaws in its authentication mechanism. He enumerates usernames from the login form of the web application, which requests users to feed data and specifies the incorrect field in case of invalid credentials. Later, Calvin uses this information to perform social engineering. Which of the following design flaws in the authentication mechanism is exploited by Calvin?
Options
- AInsecure transmission of credentials
- BVerbose failure messages
- CUser impersonation
- DPassword reset mechanism
How the community answered
(24 responses)- A4% (1)
- B92% (22)
- C4% (1)
Why each option
Login forms that specify which field is incorrect - username or password - allow attackers to enumerate valid usernames by observing differentiated error responses.
Insecure transmission of credentials is a transport-layer flaw where login data is sent over unencrypted protocols like HTTP instead of HTTPS, which is unrelated to the error message specificity that Calvin exploited.
Verbose failure messages occur when an authentication form returns field-specific errors such as 'Username does not exist' versus 'Incorrect password', revealing whether a given username is valid. This lets Calvin systematically confirm real accounts through repeated attempts, then use that verified list of real usernames as a foundation for targeted social engineering campaigns.
User impersonation refers to an attacker assuming the identity of a legitimate user after credential theft, not the upstream process of discovering which usernames exist via error message analysis.
Password reset mechanism vulnerabilities involve flaws in the recovery flow such as predictable tokens or weak security questions, which is a separate authentication design flaw from how error messages disclose field validity.
Concept tested: Username enumeration via verbose authentication failure messages
Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
Topics
Community Discussion
No community discussion yet for this question.