Qlik Community

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
IMPORTANT security patches for GeoAnalytics Server available to download: READ DETAILS

Creds Harvesting through invalid user error

anagarju
Partner
Partner

Creds Harvesting through invalid user error

Description:
Using differences in responses from the application, it is possible to determine accounts that exist within the application and accounts that do not. These differences in responses can be used by an attacker to identify existing or active accounts, and the information gathered can be used to aid in additional attack scenarios

anagarju_0-1652074488218.png

 

Mitigation Recommendations:
Avoid providing specific reasons for failure and use generic responses instead when possible. This will help ensure that attackers cannot obtain more information about accounts than necessary.
Examples for possible remediation:
Login
• Make sure to return a generic “Username or password is incorrect” message when a login failure occurs.
• Make sure the HTTP response, and the time taken to respond are no different when a username does not exist, and an incorrect password is entered.

1 Comment
anagarju
Partner
Partner