Open Source Web Application Framework for ASP.NET Core. Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET and the ASP.NET Core platforms. Provides the fundamental infrastructure, production-ready startup templates, application modules, UI themes, tooling, guides and documentation.
It is possible to collect valid email addresses by interacting with the "Forgot Password" function of the
application. This vulnerability is useful to increase the efficiency of brute force attacks. If the email is known, it
is easier to find the corresponding password. The affected URL is /Account/ForgotPassword.
With the "Forgot Password" function, the security consultants were able to enumerate valid email addresses as
the function returns "Cannot find the given email" error, when there is no user registered with the provided e-
mail address. Figure 12 shows the error message received if the email is not registered.
If a user is registered with the provided email address, the application informs them that a recovery email has
been sent as shown below.
This behavior is user-friendly, and it's a tradeoff between being user-friendly and security-friendly. The following popular websites all show user-friendly warning messages about user existence. So this is a worldwide accepted behavior.
Solution:
We can give this security level as an option. By default current behaviour will be valid. With an extra configuration, we can change the response of "forget my password request". If this option is enabled, we shouldn't show positive or negative responses if the user enters a valid email or not. Always show a generic message as the following :
If the provided e-mail address is registered in the system, we will send a password reset link. If you don't get an email within a few minutes, please check your spam box or try again later.
Security vulnerability description:
It is possible to collect valid email addresses by interacting with the "Forgot Password" function of the application. This vulnerability is useful to increase the efficiency of brute force attacks. If the email is known, it is easier to find the corresponding password. The affected URL is
/Account/ForgotPassword.With the "Forgot Password" function, the security consultants were able to enumerate valid email addresses as the function returns "Cannot find the given email" error, when there is no user registered with the provided e- mail address. Figure 12 shows the error message received if the email is not registered.
If a user is registered with the provided email address, the application informs them that a recovery email has been sent as shown below.
Ref: https://portswigger.net/blog/preventing-username-enumeration
Explanation for this security issue:
This behavior is user-friendly, and it's a tradeoff between being user-friendly and security-friendly. The following popular websites all show user-friendly warning messages about user existence. So this is a worldwide accepted behavior.
Solution:
We can give this security level as an option. By default current behaviour will be valid. With an extra configuration, we can change the response of "forget my password request". If this option is enabled, we shouldn't show positive or negative responses if the user enters a valid email or not. Always show a generic message as the following :