Kingdom: Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Privacy Violation: Inconsistent Feedback

Universal

Abstract

When a user enters an invalid user name or password for a login, uses forgotten password, or new user signup function, an application might provide meaningful feedback through a response discrepancy. For the potential attacker, this discrepancy increases the chances of a successful brute force attack against the site's authentication.

Explanation

Users expect applications to provide meaningful and user-friendly messages when there is a failure. However, when a login failure occurs due to incorrect credentials, providing verbose errors/messages might provide an attacker with information on how the application authorizes users.
For example, consider an application that takes an email address and a password. If the application provides different error messages for a non-existent email address and an incorrect password, it enables an attacker to submit multiple email addresses and discover the email addresses that are registered to the application. Such brute force attacks can provide extra information that can enable an attacker to proceed further.

References

[1] OWASP Guide to Authentication OWASP

[2] Username Enumeration Vulnerabilities

[3] Standards Mapping - Common Weakness Enumeration CWE ID 203

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314

[9] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SI-11 Error Handling (P2)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SI-11 Error Handling

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.1 General Authenticator Requirements (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3)

[13] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[49] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.dynamic.xtended_preview.privacy_violation_inconsistent_feedback