Security Test: Leaking authentication¶
Description¶
Default Severity:
When a server gives out too much detail about how it handles authentication, it can tip off attackers about the inner workings of your system. Essentially, the vulnerability happens when error messages or responses include sensitive details—like which part of the authentication failed or what user information exists—making it much easier for someone with bad intentions to figure out how to bypass security checks. If left unchecked, this can lead to unauthorized access to accounts or even control over the system. The common misstep is not sanitizing the responses or revealing internal error details that could help an attacker piece together how the authentication process works.
Configuration¶
Identifier:
information_disclosure/leaking_authentication
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 8.2.1 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 7.2 |