Hi,
we're using CAS and just had a security audit. The analysts criticized the
default behavior of the CAS system regarding feedback given on failed
authentication.
Depending on if a given user name is valid or not, the application returns
different error texts. This can be used to identify/enumerate valid users.
Their suggestion was to only use one generic response for failed logins, no
matter if the *username* or the *password* is wrong.
The relevant translation keys affected/used in this case are:
-
*Invalid username: **authenticationFailure.AccountNotFoundException
("Your account is not recognized and cannot log in at this time.")*
-
*Valid username: **authenticationFailure.FailedLoginException
("Authentication attempt has failed, likely due to invalid credentials.
Please verify and try again.")*
This was already the case in CAS 6.x and is still occuring with the current
CAS 7.x versions.
Of course we could just overwrite the translation keys in the overlay for
all available languages and make the text identical, but maybe the
application should just use one translation for both use cases to make it
impossible for potential attackers to guess valid accounts.
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/2ae18252-002e-4c7b-a3e3-9367b5978344n%40apereo.org.
