cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X

How to prevent user enumeration in HTTP Basic auth

wvalencak
1-Newbie

How to prevent user enumeration in HTTP Basic auth

Is there a way to make the HTTP 401 message exactly the same whether the inputted user name exists or not?  Currently there are 2 different responses:


If the user name exists, and the password is invalid:

HTTP Status 401 - Authentication failed for , please make sure the credentials are correct



If the user name is not valid:

HTTP Status 401 - Basic Authentication requires a valid HTTP Authorization header be supplied.


2nd attempt with invalid user name:

HTTP Status 401 - Invalid User Name



This is being flagged as "user name enumeration" in our security penetration tests since a hacker could exploit this to see which user names are valid in out Thingworx system.

3 REPLIES 3
smanley
13-Aquamarine
(To:wvalencak)

Are you using a custom login or the default login from the browser?




We are using the default login -- the one that you get if you navigate to /Thingworx/Composer/index.html or any other similar url.  The browser pops up a standard basic auth login dialog, and then gives one of the above error messages if you cancel the dialog.  Detailed Tomcat error messages are turned off, but we had the same issue when they were turned on.

smanley
13-Aquamarine
(To:wvalencak)

This is a known error that has been reported to R&D

Top Tags