Jump to content

Carl L

  • Content Count

  • Joined

  • Last visited

  1. Thank you. I do see this is enabled and it uses session cookies to detect and block brute force attempts. This is certainly a step in the right but is trivial to bypass. Automated tooling allows you to work around this by spinning up another session. I appreciate the quick responses and look forward to any possible resolution. Thank you!
  2. Thank you for the fast response! In an instance like this, the more generic, the better. I think something like "Error - Contact your Administrator/Support" would be a good choice. I know that this can possiibly lead to some problems with troubleshooting, but it prevents the enumeration of valid accounts. I was not aware of the brute force detection built into the page, but I do know this particular issue was recently a find on a third-party pentest we had performed on our organization. Is there documentation available detailing this feature? I'd be very
  3. Haven't seen this here yet, and please point me in that direction if a thread already exists, but I'd like to request a change to the error message that is displayed at the Self-Service Password Rest Portal. Currently, if you input a username that does not exist, you are told that the username was not found. This allows an attacker to enumerate valid accounts for your organization and proceed with related attacks against Security Questions, MFA options and other attack avenues. Could this be a more generic message that does not indicate whether an account is valid or not?
  • Create New...