Identity Management / Weak or Unenforced Username Policy

Description

Weak or Unenforced Username Policy is a vulnerability in Identity Management which is categorized in CWE-798. It occurs when websites or APIs do not enforce the use of strong usernames, allowing users to create weak usernames that can be easily guessed by attackers. This can allow an attacker to gain unauthorized access to a system, as the weak username can be easily guessed. In addition, the OWASP Testing Guide recommends that developers enforce the use of strong usernames when developing websites or APIs.

Risk

The risk associated with this vulnerability is that attackers can easily gain unauthorized access to systems by guessing the weak usernames. It can also lead to data breaches and other malicious activities, as attackers can gain access to sensitive data and resources. The risk can be assessed using the OWASP Risk Rating Methodology, which grades the risk on a scale from 1-10.

Solution

The solution to this vulnerability is to enforce the use of strong usernames when developing websites or APIs. This can be done by enforcing the use of strong passwords, requiring characters from multiple character sets, and limiting the number of failed login attempts. Additionally, developers can also implement a two-factor authentication system, which will require the user to provide an additional form of authentication in order to gain access to the system.

Example

For example, in the CVE-2021-25386 vulnerability, the API did not enforce the use of strong usernames, allowing attackers to guess weak usernames and gain access to the system. The following code snippet shows the API endpoint where the vulnerability was found:

POST /login

{
    "username": "<USERNAME>",
    "password": "<PASSWORD>"
}