Failed Validation Messages
Here is the question I have been posed:
"What is the best way to handle in valid credentials when logging into a site. Do we tell the user if their username was invalid? Or likewise if their password is invalid?"
I did some searching, but I'm having trouble finding a site with some best practices for this, to refer them to.
My Question for the community here: Does开发者_如何转开发 anyone here know a site that has some good guidelines/best practices for this?
Just say that their credentials were incorrect.
Telling them that one piece of information was correct means that you're helping hackers discover user names at the very least.
If I enter:
admin
Password1
for example and I get a response that the password was invalid I now know that there is a user called "admin" on you system. I can now just vary the password in an effort to gain access.
If the response was "invalid user name or password" then I'm no wiser about whether there is a user called "admin" or not.
The most authoritative discussion I can find on this issue is from the "Web Security Testing Cookbook," Recipe 12.8.
The book points out:
- You should provide a generic message indicating either the username or password was incorrect; revealing that just the username is correct allows attackers to enumerate valid usernames.
- Account lockout functionality, after X number of tries, also carries the same risk; attackers can lockout accounts to find out if the usernames were valid or not.
You can read the whole "recipe" via Google Books here: http://books.google.com/books?id=VmrSJ3V-s_MC&lpg=PA249&ots=cU7V62FQOA&dq=web%20security%20reveal%20valid%20username&pg=PA248#v=onepage&q=web%20security%20reveal%20valid%20username&f=false
精彩评论