Username Disclosure

low Web App Scanning Plugin ID 114615

Language:

Synopsis

Username Disclosure

Description

Web Applications can sometimes expose web applications users in various places such as HTML comments, JavaScript code or API requests. By leveraging this information, an attacker can gather information and build further attacks against the target application.

Solution

Avoid disclosing usernames in your application content.

See Also

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage

Plugin Details

Severity: Low

ID: 114615

Type: remote

Family: Data Exposure

Published: 3/11/2025

Updated: 3/11/2025

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.3

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 16, 200

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1, 2021-A5

WASC: Application Misconfiguration, Information Leakage

CAPEC: 116, 13, 169, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 472, 497, 508, 573, 574, 575, 576, 577, 59, 60, 616, 643, 646, 651, 79

DISA STIG: APSC-DV-000460

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-15

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

OWASP ASVS: 4.0.2-8.3.4

PCI-DSS: 3.2-6.5.8