Recipe Name:
Authentication: Username Enumeration: avoid UsernameNotFoundException
Description:
Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Documentation
Avoid attackers from guessing usernames by throwing a BadCredentialsException()
which returns a more general error message, instead of a UsernameNotFoundException()
, which divulges the (non-)existence of a username.
throw new UsernameNotFoundException(e.Message());After
throw new BadCredentialsException(e.Message());References
Recipe
id: scw:spring:authentication-user-enum-UsernameNotFoundException version: 10 metadata: name: 'Authentication: Username Enumeration: avoid UsernameNotFoundException' shortDescription: Avoid throwing a UsernameNotFoundException as it could lead to username enumeration level: warning language: java scwCategory: auth:userenum cweCategory: 200 enabled: true comment: "" descriptionFile: descriptions/Authentication_Username_Enumeration_avoid_UsernameNotFoundException.html tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10 search: instanceCreation: in: throw: {} type: org.springframework.security.core.userdetails.UsernameNotFoundException availableFixes: - name: Throw a more general BadCredentialsException actions: - rewrite: to: new org.springframework.security.authentication.BadCredentialsException({{{arguments}}})