Skip to content

Information Disclosure: Possible User Enumeration¶

Identifier: leaking_authentication

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Authentication endpoints may leak information about user existence or account status through differences in error messages, response times, or response content, enabling user enumeration attacks.

How we test: We analyze authentication responses for different usernames and passwords to detect information leakage. We compare error messages, response times, and response content to identify patterns that reveal whether a user exists or what part of the authentication process failed.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  leaking_authentication:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.