Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

User Enumeration

General Discussion

2

2

334

Log in to reply

J

john.mooney
last edited by

Hello, I was wondering if FusionAuth will mitigate User Enumeration attacks by apply some random response delay or any other method?
1 Reply Last reply
Reply Quote 0
D

dan
last edited by
Hiya,

Do you have a script or set of scripts which illustrates a valid user enumeration attack against FusionAuth?

I did a test of three kinds of user login:
- existing user, valid password
- existing user, invalid password
- user who didn't exist
And they all returned in roughly the same amount of time.
--
FusionAuth - Auth for devs, built by devs.
https://fusionauth.io
1 Reply Last reply
Reply Quote 0

1 / 1