There is one well-known username enumeration vulnerability related to previous versions of Apache web server. Some distributions contained a misconfiguration, which enabled potential attackers to identify existing usernames.
When an attacker submits an HTTP request for a possible user's home page,, the server responses differently depending on whether the username exists or not:
Because the server responses differently in these cases, the potential attacker can test and enumerate existing usernames. The attacker can then exploit this data for further attacks on the server.
When you create a web part in your web application, which enables users to log in, do not reveal information about existing usernames:
If the submitted username is incorrect:
If the submitted username exists, but the password is incorrect:
This way, the attacker can learn, which usernames exist in the system and which do not.
The default configuration of Kentico is protected against this type of attack.
If you plan to create a custom login web part, be sure to show only generic error messages:
In both situations (username does not exist or the password is incorrect):
This way, the attacker cannot distinguish between valid and invalid usernames.
In registration web parts, you cannot completely eliminate this vulnerability, because you have to check (and tell the user) if the submitted username already exists. Therefore, always include CAPTCHA in these web parts to prevent automatic collecting of the data by scripts.
In this type of enumeration attack, the attacker tries to guess the file names on the server and manage to gain access to them.
In Kentico, the attacker can for example try to guess the name of an export file. The export files are generally located in the <web project>\CMSSiteUtils\Export folder. The attacker can learn the structure of the file name and eventually guess an existing one (for example, by trying out different time stamps).
To protect your servers against this type of attack, forbid access to sensitive directories in the web.config file. See Restricting access to directories.