Recipe Name:
Authentication: Username Enumeration: avoid UsernameNotFoundException
Description:
Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Documentation
Avoid attackers from guessing usernames by throwing a BadCredentialsException() which returns a more general error message, instead of a UsernameNotFoundException(), which divulges the (non-)existence of a username.
throw new UsernameNotFoundException(e.Message());After
throw new BadCredentialsException(e.Message());References
Recipe
id: scw:spring:authentication-user-enum-UsernameNotFoundException
version: 10
metadata:
name: 'Authentication: Username Enumeration: avoid UsernameNotFoundException'
shortDescription: Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
level: warning
language: java
scwCategory: auth:userenum
cweCategory: 200
enabled: true
comment: ""
descriptionFile: descriptions/Authentication_Username_Enumeration_avoid_UsernameNotFoundException.html
tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
instanceCreation:
in:
throw: {}
type: org.springframework.security.core.userdetails.UsernameNotFoundException
availableFixes:
- name: Throw a more general BadCredentialsException
actions:
- rewrite:
to: new org.springframework.security.authentication.BadCredentialsException({{{arguments}}})