@CAS developers: any feedback on this? Please check if this can be
implemented. Any feedback will be highly appreciated. THX
On Wednesday, December 11, 2024 at 3:34:45 AM UTC+1 Dennis Rech wrote:
> Hi,
>
> we're using CAS and just had a security audit. The analysts criticized the
> default behavior of the CAS system regarding feedback given on failed
> authentication.
>
> Depending on if a given user name is valid or not, the application returns
> different error texts. This can be used to identify/enumerate valid users.
>
> Their suggestion was to only use one generic response for failed logins,
> no matter if the *username* or the *password* is wrong.
>
> The relevant translation keys affected/used in this case are:
>
> -
>
> *Invalid username: **authenticationFailure.AccountNotFoundException
> ("Your account is not recognized and cannot log in at this time.")*
> -
>
> *Valid username: **authenticationFailure.FailedLoginException
> ("Authentication attempt has failed, likely due to invalid credentials.
> Please verify and try again.")*
>
> This was already the case in CAS 6.x and is still occuring with the
> current CAS 7.x versions.
>
> Of course we could just overwrite the translation keys in the overlay for
> all available languages and make the text identical, but maybe the
> application should just use one translation for both use cases to make it
> impossible for potential attackers to guess valid accounts.
>
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/f9869e5d-f6a9-4809-ad07-cf1032e93834n%40apereo.org.
