Username Disclosure
- CWE 200
- OWASP 2017-A6
- CAPEC 118
- WASC 13
- OWASP PC-C7
This issue requires manual confirmation.
Username Disclosure occurs when web applications inadvertently reveal usernames of registered users, administrators, or system accounts. This can happen via login forms, error messages, profile pages, API responses, or backup files. Exposed usernames give attackers a head start for brute-force attacks, password guessing, social engineering, or credential stuffing campaigns, increasing the risk of account compromise.
Common patterns leading to username disclosure:
- Login pages indicating which part of a login attempt is incorrect (e.g., "username not found").
- Publicly accessible user directories or profile listings.
- Error messages or logs exposing user account details.
- Backup or development files containing usernames.
- API endpoints returning usernames without authentication or access control.
Impacts:
- Facilitates Account Compromise: Attackers can focus on known usernames for password attacks.
- Enables Credential Stuffing: Previously leaked or reused credentials can be exploited.
- Social Engineering: Knowing usernames allows targeted phishing or impersonation attempts.
- Reconnaissance: Revealed usernames provide insight into roles, system accounts, or organizational structure.
Detection indicators:
- Login pages providing different error messages for invalid usernames versus passwords.
- Publicly accessible endpoints or files listing usernames.
- Security scanners detecting exposed usernames.
Remediation
Mitigation focuses on limiting exposure and enforcing secure authentication:
Use Generic Login Error Messages
Avoid specifying whether a username or password is incorrect.Restrict Public Access to User Information
Ensure that user lists, profiles, or account-related data are only accessible to authorized users.Sanitize Logs and Error Messages
Avoid writing usernames to publicly accessible logs or error pages.Implement Rate Limiting and Account Lockout
Protect against brute-force or enumeration attacks targeting disclosed usernames.Encrypt Sensitive Data
Ensure usernames stored in systems are handled securely and hashed where applicable.Monitor and Audit Access
Detect repeated attempts to enumerate or access usernames.Security Testing
Include checks for username disclosure during penetration testing and automated scans.
References
Search Vulnerability
You may also see
- Internal IP Address Disclosure
- Username Disclosure
- Application Disclosure
- Email Disclosure
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- File Upload Input Detected
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled
- GraphQL Endpoint Detected