Username enumeration can be prevented by having a call back to a username_unique function (see image below) in your controllers that checks for an existing username, and if the num_rows==1, it will not allow anyone to create the account with the same username again.
Also, consistent error messages should be shown, which only reveal that a certain username is not available and not showing the available list of valid usernames, which could be used by the attacker to make educated guesses for an attack.
Disediakan oleh : Che Wahida Binti Che Pauzur
Sumber : http://www.monitis.com
0 comments:
Post a Comment