Improper Restriction of Excessive Authentication Attempts| ID: 307 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software does not implement sufficient measures to prevent
multiple failed authentication attempts within in a short time frame, making it
more susceptible to brute force attacks.
Applicable PlatformsLanguage Class: Language-independent
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanism | An attacker could perform an arbitrary number of authentication
attempts using different passwords, and eventually gain access to the
targeted account. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Common protection mechanisms include: | | |
| Architecture and Design | Libraries or Frameworks | Use a vetted library or framework that does not allow this weakness to
occur or provides constructs that make this weakness easier to avoid.Consider using libraries with authentication capabilities such as
OpenSSL or the ESAPI Authenticator. [R.307.1] | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-307 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In January 2009, an attacker was able to gain administrator access
to a Twitter server because the server did not restrict the number of login
attempts. The attacker targeted a member of Twitter's support team and was
able to successfully guess the member's password using a brute force attack
by guessing a large number of common words. Once the attacker gained access
as the member of the support staff, he used the administrator panel to gain
access to 33 accounts that belonged to celebrities and politicians.
Ultimately, fake Twitter messages were sent that appeared to come from the
compromised accounts.
- In the following C/C++ example the validateUser method opens a
socket connection, reads a username and password from the socket and
attempts to authenticate the username and password.
- The following code, extracted from a servlet's doPost() method,
performs an authentication lookup every time the servlet is
invoked.
- This code attempts to limit the number of login attempts by causing
the process to sleep before completing the authentication.
Observed Examples
- CVE-1999-1152 : Product does not disconnect or timeout after multiple failed logins.
- CVE-2001-1291 : Product does not disconnect or timeout after multiple failed logins.
- CVE-2001-0395 : Product does not disconnect or timeout after multiple failed logins.
- CVE-2001-1339 : Product does not disconnect or timeout after multiple failed logins.
- CVE-2002-0628 : Product does not disconnect or timeout after multiple failed logins.
- CVE-1999-1324 : User accounts not disabled when they exceed a threshold; possibly a resultant problem.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | AUTHENT.MULTFAIL | Multiple Failed Authentication Attempts not
Prevented | |
References:
- OWASP .OWASP Enterprise Security API (ESAPI) Project.
