cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X

How to prevent user enumeration in HTTP Basic auth

wvalencak
2-Explorer

How to prevent user enumeration in HTTP Basic auth

Is there a way to make the HTTP 401 message exactly the same whether the inputted user name exists or not?  Currently there are 2 different responses:


If the user name exists, and the password is invalid:

HTTP Status 401 - Authentication failed for , please make sure the credentials are correct



If the user name is not valid:

HTTP Status 401 - Basic Authentication requires a valid HTTP Authorization header be supplied.


2nd attempt with invalid user name:

HTTP Status 401 - Invalid User Name



This is being flagged as "user name enumeration" in our security penetration tests since a hacker could exploit this to see which user names are valid in out Thingworx system.

3 REPLIES 3
smanley
14-Alexandrite
(To:wvalencak)

Are you using a custom login or the default login from the browser?




We are using the default login -- the one that you get if you navigate to /Thingworx/Composer/index.html or any other similar url.  The browser pops up a standard basic auth login dialog, and then gives one of the above error messages if you cancel the dialog.  Detailed Tomcat error messages are turned off, but we had the same issue when they were turned on.

smanley
14-Alexandrite
(To:wvalencak)

This is a known error that has been reported to R&D

Announcements


Top Tags