Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Suggest an Idea

Announcements
This page is no longer in use. To suggest an idea, please visit Browse and Suggest.

Creds Harvesting through invalid user error

anagarju
Partner - Contributor II
Partner - Contributor II
‎2022-05-09 01:35 AM

Creds Harvesting through invalid user error

Description:
Using differences in responses from the application, it is possible to determine accounts that exist within the application and accounts that do not. These differences in responses can be used by an attacker to identify existing or active accounts, and the information gathered can be used to aid in additional attack scenarios

anagarju_0-1652074488218.png

 

Mitigation Recommendations:
Avoid providing specific reasons for failure and use generic responses instead when possible. This will help ensure that attackers cannot obtain more information about accounts than necessary.
Examples for possible remediation:
Login
• Make sure to return a generic “Username or password is incorrect” message when a login failure occurs.
• Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.

Status: Closed - Archived Submitted by Partner - Contributor II on ‎2022-05-09 01:35 AM
Labels
Tags (1)
400 Views
3 Comments
anagarju
Partner - Contributor II
Partner - Contributor II
‎2022-05-09 01:36 AM

Reference support ticket: https://community.qlik.com/t5/crmsupport/casepage/issue-id/00034362/issue-guid/5003z00002V50IqAAJ/is...

 

Meghann_MacDonald
Employee
Employee
‎2023-08-02 11:16 AM

From now on, please track this idea from the Ideation portal. 

Link to new idea

Meghann

NOTE: Upon clicking this link 2 tabs may open - please feel free to close the one with a login page. If you only see 1 tab with the login page, please try clicking this link first: Authenticate me! then try the link above again. Ensure pop-up blocker is off.

Ideation
Newbie
Newbie
‎2023-08-02 11:16 AM
 
Status changed to: Closed - Archived
Subscribe by Topic