3 Replies Latest reply on Mar 4, 2015 3:56 PM by saeedma RSS
    williamv Newbie

    How to prevent user enumeration in HTTP Basic auth

    Is there a way to make the HTTP 401 message exactly the same whether the inputted user name exists or not?  Currently there are 2 different responses:

    If the user name exists, and the password is invalid:

    HTTP Status 401 - Authentication failed for , please make sure the credentials are correct

    If the user name is not valid:

    HTTP Status 401 - Basic Authentication requires a valid HTTP Authorization header be supplied.

    2nd attempt with invalid user name:

    HTTP Status 401 - Invalid User Name

    This is being flagged as "user name enumeration" in our security penetration tests since a hacker could exploit this to see which user names are valid in out Thingworx system.