Testing for Weak or Unenforced Username Policy
OWASP Web Security Testing Guide 4.2 > 3. Identity Management Testing > 3.5 Testing for Weak or Unenforced Username Policy
| ID | Link to Hackinglife | Link to OWASP | Description |
|---|---|---|---|
| 3.5 | WSTG-IDNT-05 | Testing for Weak or Unenforced Username Policy | - Determine whether a consistent account name structure renders the application vulnerable to account enumeration. - User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed. - Determine whether the application's error messages permit account enumeration. |