Possible Username Enumeration

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue.

Username enumeration allows attackers to identify valid user accounts by analyzing differences in application responses, such as distinct error messages, response times, or HTTP status codes. With a list of valid usernames, attackers can focus brute-force attacks only on known accounts, dramatically reducing the time needed to compromise user credentials. This vulnerability is commonly exploited in credential stuffing attacks and automated password guessing campaigns.

Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic.