User enumeration disclosure in CAS
Dennis Rech
Hi,
we're using CAS and just had a security audit. The analysts criticized the default behavior of the CAS system regarding feedback given on failed authentication.
Depending on if a given user name is valid or not, the application returns different error texts. This can be used to identify/enumerate valid users.
Their suggestion was to only use one generic response for failed logins, no matter if the username or the password is wrong.
The relevant translation keys affected/used in this case are:
Invalid username: authenticationFailure.AccountNotFoundException ("Your account is not recognized and cannot log in at this time.")
Valid username: authenticationFailure.FailedLoginException ("Authentication attempt has failed, likely due to invalid credentials. Please verify and try again.")
This was already the case in CAS 6.x and is still occuring with the current CAS 7.x versions.
Of course we could just overwrite the translation keys in the overlay for all available languages and make the text identical, but maybe the application should just use one translation for both use cases to make it impossible for potential attackers to guess valid accounts.