According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Web Application Scanner Web Services Scanner Database Scanners ``` Cost effective for partial coverage: ``` Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria
CWE-307 Base Draft
Improper Restriction of Excessive Authentication Attempts
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically…
Definition
What is CWE-307?
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials.
Without controls like account lockouts, rate limiting, or increasing time delays after failures, automated tools can make thousands of login attempts per minute. This makes brute-force and credential stuffing attacks highly effective, as attackers can try common passwords or leaked credentials until they succeed. Implementing these restrictions is a fundamental security control for any authentication system.
Detecting and enforcing consistent authentication policies across all your services and APIs can be challenging. While SAST and DAST tools can identify missing protections, an ASPM like Plexicus helps by continuously monitoring your entire application stack for these misconfigurations and using AI to generate specific remediation guidance, streamlining the fix process.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-307
-
the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
User accounts not disabled when they exceed a threshold; possibly a resultant problem.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.
- 2
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
- 3
However, the software makes no attempt to restrict excessive authentication attempts.
- 4
This code attempts to limit the number of login attempts by causing the process to sleep before completing the authentication.
- 5
However, there is no limit on parallel connections, so this does not increase the amount of time an attacker needs to complete an attack.
Verwundbares Codebeispiel
Vulnerable Java
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username");
String password = request.getParameter("password");
int authResult = authenticateUser(username, password); Sicheres Codebeispiel
Secure C
The validateUser method will continuously check for a valid username and password without any restriction on the number of authentication attempts made. The method should limit the number of authentication attempts made to prevent brute force attacks as in the following example code.
int validateUser(char *host, int port)
{
...
int count = 0;
while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) {
if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {
if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {
isValidUser = AuthenticateUser(username, password);
}
}
count++;
}
if (isValidUser) {
return(SUCCESS);
}
else {
return(FAIL);
}
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-307
- Architecture and Design Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part.
- Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Erkennungssignale
How to detect CWE-307
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Fuzz Tester Framework-based Fuzzer ``` Cost effective for partial coverage: ``` Forced Path Execution
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Configuration Checker
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Plexicus erkennt CWE-307 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-307?
Wie gravierend ist CWE-307?
Welche Sprachen oder Plattformen sind von CWE-307 betroffen?
Wie kann ich CWE-307 verhindern?
Wie erkennt und behebt Plexicus CWE-307?
Wo erfahre ich mehr über CWE-307?
Frequently asked questions
Was ist CWE-307?
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials.
Wie gravierend ist CWE-307?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-307 betroffen?
MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.
Wie kann ich CWE-307 verhindern?
Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part. Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Wie erkennt und behebt Plexicus CWE-307?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-307 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-307?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/307.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-307
CWE-1390 Parent
Weak Authentication
This vulnerability occurs when a system's login or identity verification process is too easy to bypass or fool. While it attempts to check…
CWE-1391 Sibling
Use of Weak Credentials
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily…
CWE-262 Sibling
Not Using Password Aging
This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely.
CWE-263 Sibling
Password Aging with Long Expiration
The system enforces password changes, but the time allowed between changes is excessively long, weakening security.
CWE-289 Sibling
Authentication Bypass by Alternate Name
This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names…
CWE-290 Sibling
Authentication Bypass by Spoofing
This weakness occurs when an application's authentication system can be tricked into accepting forged or manipulated credentials, allowing…
CWE-294 Sibling
Authentication Bypass by Capture-replay
This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain…
CWE-301 Sibling
Reflection Attack in an Authentication Protocol
A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing…
CWE-302 Sibling
Authentication Bypass by Assumed-Immutable Data
This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can…
Ressourcen
Further reading
- MITRE — offizielle CWE-307 https://cwe.mitre.org/data/definitions/307.html
- OWASP Enterprise Security API (ESAPI) Project https://owasp.org/www-project-enterprise-security-api/
- Weak Password Brings 'Happiness' to Twitter Hacker https://www.wired.com/2009/01/professed-twitt/
- This Black Box Can Brute Force Crack iPhone PIN Passcodes https://www.intego.com/mac-security-blog/iphone-pin-pass-code/
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.