suggestion for "Account Enumeration and Guessable User Account" section

[sparkinthedarkness]

Hi , hope you doing well

I've a suggestion for wstg, "Account Enumeration and Guessable User Account" section.

I think it's good to add this test case: in registration process and editing profile in websites, users must not be allowed to set usernames like "admin" , "administrator","moderate" and so on ...

what do you think about this?do you agree ?

• [x] Assign me, please!

[kingthorin]

It already exists?

• https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
• https://github.com/OWASP/wstg/blob/ede0735edb3ac674137f2176ae5ff96e3d134bcd/document/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.md

[kingthorin]

I'm sure if you really meant for this to be "new" or just a revision of the existing content. Anyway I'm going to assume it's being added to the existing content.

[ThunderSon]

@sparkinthedarkness I've unassigned you till we have better description on what you'd like to see happen. This is mostly covered in the test case @kingthorin mentioned.

Can you possibly detail a bit better what you'd like to see happening?

Thanks for having the interest to improve the content!

[ThunderSon]

Adding to the mentioned test, this should help cover as well most use cases: https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.md

Let me know if something is still missing.

[sparkinthedarkness]

@ThunderSon "testing for default credential" is different from what i suggested in my first comment.

I think I should explain more.

a normal user (that not register on website yet) visit the website and decide to create an account. my suggestion is : this unregistered user should not be able to select these usernames: admin administrator moderate and so on

these usernames should be reserved and unselectable Whether this usernames really exists in the target website or not . because many websites have some features that users can reply to others comment or send messages to other users, or anythings like these. in this case if normal user has a username like "admin", It can mislead or deceive others

in addition to registration process,user should not be able to edit current username to one of them(admin,administrator,...) on editing profile page either.

[ThunderSon]

@sparkinthedarkness I now understand the difference, thanks for the details.

This can be better fitting in the cheat sheets project, as it is a best practice, and not an actionable threat. @kingthorin what's your take on this?

[kingthorin]

I agree. I guess we could add a few lines in a heading like "Test for Staff Impersonation" or something like that. Otherwise I suggest closing and opening against the https://github.com/OWASP/CheatSheetSeries project.