Overly Restrictive Account Lockout Mechanism
Description The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily. This allows attackers to deny service to legitimate users by causing their accounts to be locked out. Extended DescriptionAccount lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive. Enabling Factors for ExploitationThe system has an account lockout mechanism.An attacker must be able to trigger the account lockout mechanism.The cost to the attacker of triggering the account lockout mechanism should be less than the cost to re-enable the account. Likelihood of Exploit: High Applicable PlatformsLanguage Class: All Time Of Introduction
Common Consequences
Detection MethodsNone Potential Mitigations
Relationships
Demonstrative ExamplesNone Observed Examples
White Box Definitions None Black Box Definitions None Taxynomy MappingsNone References:None |