User Enumeration- Forgot Password #VDP

User Enumeration:

User Enumeration is a kind of vulnerability where a malicious user tries to identify whether a particular user is registered or not in an organization.

Vulnerability:

At the forgot password select any email address you want to look up enter email value such as “abc@gmail.com” if it’s registered it sends an email directly if not the application is responding with an error page “ No user exists for this e-mail address: “abc@gmail.com”

Using this error code we would be able to identify if a user is existing in the application or not.

Mitigation:

Instead of relying on status code response, a custom response would be able to fix this issue “for e.g: if a user account exists with this email address you will receive an email shortly”