GCIH · Question #503
What step would mitigate the risk of the specific type of the web attack that produced the web server logs presented below?
The correct answer is D. Authentication error messages must be consistent. The logs show a username enumeration attack where an attacker exploits differing authentication error messages to identify valid accounts, and consistent error messages eliminate this information leak.
Question
What step would mitigate the risk of the specific type of the web attack that produced the web server logs presented below?
Exhibit
Options
- AHTTPS should be used instead of HTTP
- BThe root account should not be available via a web interface
- CUsers should not share the same password
- DAuthentication error messages must be consistent
- EThe application should require stronger passwords
How the community answered
(55 responses)- A11% (6)
- B20% (11)
- C2% (1)
- D62% (34)
- E5% (3)
Why each option
The logs show a username enumeration attack where an attacker exploits differing authentication error messages to identify valid accounts, and consistent error messages eliminate this information leak.
Switching to HTTPS encrypts the connection in transit but does not prevent an attacker from interacting with the login endpoint directly and observing different error messages in the response body.
Disabling root account web access is a privilege hardening control that is unrelated to the enumeration vector created by inconsistent error message wording.
Prohibiting shared passwords is a credential hygiene measure that does not prevent an attacker from probing the login form to identify which usernames exist in the system.
When a login form returns distinct messages such as 'invalid username' versus 'invalid password,' an attacker can probe the endpoint and observe which response is returned to enumerate valid accounts. Returning a single generic message - for example, 'invalid credentials' - regardless of whether the username or password is incorrect removes the distinguishing signal and mitigates enumeration. This directly addresses the specific attack pattern visible in the logs.
Enforcing stronger password complexity mitigates brute-force attacks against already-known accounts but does not stop an attacker from enumerating valid usernames through error message differences.
Concept tested: Username enumeration via inconsistent authentication error messages
Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
Topics
Community Discussion
No community discussion yet for this question.
