Username Hash Found

A hash of a username (admin) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused.

Exposing hashed usernames in responses indicates the application may use predictable object identifiers that can be enumerated or manipulated. An attacker can compute hashes for common usernames (admin, root, etc.) and match them against exposed hashes to identify privileged accounts. Combined with Insecure Direct Object Reference vulnerabilities, this allows unauthorized access to other users' data by manipulating the hash value in requests. This is particularly dangerous when authorization checks are missing or rely solely on the obscurity of the identifier.

Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object.