Recipe Name:
Authentication: Username Enumeration: avoid UsernameNotFoundException
Description:
Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

Avoid attackers from guessing usernames by throwing a BadCredentialsException() which returns a more general error message, instead of a UsernameNotFoundException(), which divulges the (non-)existence of a username.

Before
throw new UsernameNotFoundException(e.Message());
After
throw new BadCredentialsException(e.Message());
References
Recipe
id: scw:spring:authentication-user-enum-UsernameNotFoundException
version: 10
metadata:
  name: 'Authentication: Username Enumeration: avoid UsernameNotFoundException'
  shortDescription: Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
  level: warning
  language: java
  scwCategory: auth:userenum
  cweCategory: 200
  enabled: true
  comment: ""
  descriptionFile: descriptions/Authentication_Username_Enumeration_avoid_UsernameNotFoundException.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  instanceCreation:
    in:
      throw: {}
    type: org.springframework.security.core.userdetails.UsernameNotFoundException
availableFixes:
- name: Throw a more general BadCredentialsException
  actions:
  - rewrite:
      to: new org.springframework.security.authentication.BadCredentialsException({{{arguments}}})