nerdexam
GIAC

GCIH · Question #503

What step would mitigate the risk of the specific type of the web attack that produced the web server logs presented below?

The correct answer is D. Authentication error messages must be consistent. The logs show a username enumeration attack where an attacker exploits differing authentication error messages to identify valid accounts, and consistent error messages eliminate this information leak.

Web Application Attacks & Post-Exploitation

Question

What step would mitigate the risk of the specific type of the web attack that produced the web server logs presented below?

Exhibit

GCIH question #503 exhibit

Options

  • AHTTPS should be used instead of HTTP
  • BThe root account should not be available via a web interface
  • CUsers should not share the same password
  • DAuthentication error messages must be consistent
  • EThe application should require stronger passwords

How the community answered

(55 responses)
  • A
    11% (6)
  • B
    20% (11)
  • C
    2% (1)
  • D
    62% (34)
  • E
    5% (3)

Why each option

The logs show a username enumeration attack where an attacker exploits differing authentication error messages to identify valid accounts, and consistent error messages eliminate this information leak.

AHTTPS should be used instead of HTTP

Switching to HTTPS encrypts the connection in transit but does not prevent an attacker from interacting with the login endpoint directly and observing different error messages in the response body.

BThe root account should not be available via a web interface

Disabling root account web access is a privilege hardening control that is unrelated to the enumeration vector created by inconsistent error message wording.

CUsers should not share the same password

Prohibiting shared passwords is a credential hygiene measure that does not prevent an attacker from probing the login form to identify which usernames exist in the system.

DAuthentication error messages must be consistentCorrect

When a login form returns distinct messages such as 'invalid username' versus 'invalid password,' an attacker can probe the endpoint and observe which response is returned to enumerate valid accounts. Returning a single generic message - for example, 'invalid credentials' - regardless of whether the username or password is incorrect removes the distinguishing signal and mitigates enumeration. This directly addresses the specific attack pattern visible in the logs.

EThe application should require stronger passwords

Enforcing stronger password complexity mitigates brute-force attacks against already-known accounts but does not stop an attacker from enumerating valid usernames through error message differences.

Concept tested: Username enumeration via inconsistent authentication error messages

Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account

Topics

#authentication enumeration#error message consistency#brute force detection#web server logs

Community Discussion

No community discussion yet for this question.

Full GCIH Practice