According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Web Application Scanner Web Services Scanner Database Scanners ``` Cost effective for partial coverage: ``` Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria
CWE-307 Base Brouillon
Improper Restriction of Excessive Authentication Attempts
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically…
Définition
What is CWE-307?
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials.
Without controls like account lockouts, rate limiting, or increasing time delays after failures, automated tools can make thousands of login attempts per minute. This makes brute-force and credential stuffing attacks highly effective, as attackers can try common passwords or leaked credentials until they succeed. Implementing these restrictions is a fundamental security control for any authentication system.
Detecting and enforcing consistent authentication policies across all your services and APIs can be challenging. While SAST and DAST tools can identify missing protections, an ASPM like Plexicus helps by continuously monitoring your entire application stack for these misconfigurations and using AI to generate specific remediation guidance, streamlining the fix process.
Impact réel
Real-world CVEs caused by CWE-307
-
the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
User accounts not disabled when they exceed a threshold; possibly a resultant problem.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.
- 2
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
- 3
However, the software makes no attempt to restrict excessive authentication attempts.
- 4
This code attempts to limit the number of login attempts by causing the process to sleep before completing the authentication.
- 5
However, there is no limit on parallel connections, so this does not increase the amount of time an attacker needs to complete an attack.
Exemple de code vulnérable
Vulnerable Java
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username");
String password = request.getParameter("password");
int authResult = authenticateUser(username, password); Exemple de code sécurisé
Secure C
The validateUser method will continuously check for a valid username and password without any restriction on the number of authentication attempts made. The method should limit the number of authentication attempts made to prevent brute force attacks as in the following example code.
int validateUser(char *host, int port)
{
...
int count = 0;
while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) {
if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {
if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {
isValidUser = AuthenticateUser(username, password);
}
}
count++;
}
if (isValidUser) {
return(SUCCESS);
}
else {
return(FAIL);
}
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-307
- Architecture and Design Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part.
- Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Signaux de détection
How to detect CWE-307
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Fuzz Tester Framework-based Fuzzer ``` Cost effective for partial coverage: ``` Forced Path Execution
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Configuration Checker
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Plexicus détecte automatiquement CWE-307 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-307 ?
Quelle est la gravité de CWE-307 ?
Quels langages ou plateformes sont affectés par CWE-307 ?
Comment puis-je prévenir CWE-307 ?
Comment Plexicus détecte et corrige CWE-307 ?
Où puis-je en savoir plus sur CWE-307 ?
Frequently asked questions
Qu'est-ce que CWE-307 ?
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials.
Quelle est la gravité de CWE-307 ?
MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.
Quels langages ou plateformes sont affectés par CWE-307 ?
MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.
Comment puis-je prévenir CWE-307 ?
Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part. Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Comment Plexicus détecte et corrige CWE-307 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-307 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-307 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/307.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-307
CWE-1390 Parent
Weak Authentication
This vulnerability occurs when a system's login or identity verification process is too easy to bypass or fool. While it attempts to check…
CWE-1391 Frère
Use of Weak Credentials
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily…
CWE-262 Frère
Not Using Password Aging
This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely.
CWE-263 Frère
Password Aging with Long Expiration
The system enforces password changes, but the time allowed between changes is excessively long, weakening security.
CWE-289 Frère
Authentication Bypass by Alternate Name
This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names…
CWE-290 Frère
Authentication Bypass by Spoofing
This weakness occurs when an application's authentication system can be tricked into accepting forged or manipulated credentials, allowing…
CWE-294 Frère
Authentication Bypass by Capture-replay
This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain…
CWE-301 Frère
Reflection Attack in an Authentication Protocol
A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing…
CWE-302 Frère
Authentication Bypass by Assumed-Immutable Data
This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can…
Ressources
Further reading
- MITRE — CWE-307 officiel https://cwe.mitre.org/data/definitions/307.html
- OWASP Enterprise Security API (ESAPI) Project https://owasp.org/www-project-enterprise-security-api/
- Weak Password Brings 'Happiness' to Twitter Hacker https://www.wired.com/2009/01/professed-twitt/
- This Black Box Can Brute Force Crack iPhone PIN Passcodes https://www.intego.com/mac-security-blog/iphone-pin-pass-code/
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.