Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)

From OWASP
Revision as of 09:53, 28 July 2013 by Andrew Muller (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Summary

Most systems are provisioning with default and test accounts to aid the installation, configuration and testing of applications. These accounts are often overlooked when the system enters production. User account names are often structured and valid account names can easily be guessed. Other times, valid account names can be searched for using internet search engines.

Test objectives

Verify the structure of account names Verify the application's response to valid and invalid account names


How to test

Example

Tools

References

Remediation