Early Access — Mondoo Vulnerability Intelligence is currently in preview.

CWE-307: Improper Restriction of Excessive Authentication Attempts | Mondoo Vulnerability Intelligence

CWE-307

BaseDraft

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

275 linked vulnerabilities

3 related weaknesses

Architecture and Design

Disconnecting the user after a small number of failed attempts
Implementing a timeout
Locking out a targeted account
Requiring a computational task on the user's part.

Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]

Access ControlBypass Protection Mechanism

An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.

Dynamic Analysis with Automated Results InterpretationEffectiveness: High

According to SOAR [REF-1479], the following detection techniques may be useful:

Dynamic Analysis with Manual Results InterpretationEffectiveness: High

According to SOAR [REF-1479], the following detection techniques may be useful:

Manual Static Analysis - Source CodeEffectiveness: High

According to SOAR [REF-1479], the following detection techniques may be useful: