According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Web Application Scanner Web Services Scanner Database Scanners ``` Cost effective for partial coverage: ``` Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria
CWE-307 Base Rascunho
Improper Restriction of Excessive Authentication Attempts
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically…
Definição
What is CWE-307?
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials.
Without controls like account lockouts, rate limiting, or increasing time delays after failures, automated tools can make thousands of login attempts per minute. This makes brute-force and credential stuffing attacks highly effective, as attackers can try common passwords or leaked credentials until they succeed. Implementing these restrictions is a fundamental security control for any authentication system.
Detecting and enforcing consistent authentication policies across all your services and APIs can be challenging. While SAST and DAST tools can identify missing protections, an ASPM like Plexicus helps by continuously monitoring your entire application stack for these misconfigurations and using AI to generate specific remediation guidance, streamlining the fix process.
Impacto no mundo real
Real-world CVEs caused by CWE-307
-
the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
Product does not disconnect or timeout after multiple failed logins.
-
User accounts not disabled when they exceed a threshold; possibly a resultant problem.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.
- 2
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
- 3
However, the software makes no attempt to restrict excessive authentication attempts.
- 4
This code attempts to limit the number of login attempts by causing the process to sleep before completing the authentication.
- 5
However, there is no limit on parallel connections, so this does not increase the amount of time an attacker needs to complete an attack.
Exemplo de código vulnerável
Vulnerable Java
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username");
String password = request.getParameter("password");
int authResult = authenticateUser(username, password); Exemplo de código seguro
Secure C
The validateUser method will continuously check for a valid username and password without any restriction on the number of authentication attempts made. The method should limit the number of authentication attempts made to prevent brute force attacks as in the following example code.
int validateUser(char *host, int port)
{
...
int count = 0;
while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) {
if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {
if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {
isValidUser = AuthenticateUser(username, password);
}
}
count++;
}
if (isValidUser) {
return(SUCCESS);
}
else {
return(FAIL);
}
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-307
- Architecture and Design Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part.
- Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Sinais de deteção
How to detect CWE-307
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Fuzz Tester Framework-based Fuzzer ``` Cost effective for partial coverage: ``` Forced Path Execution
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Configuration Checker
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
O Plexicus deteta automaticamente o CWE-307 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-307?
Qual a gravidade do CWE-307?
Que linguagens ou plataformas são afetadas pelo CWE-307?
Como posso prevenir o CWE-307?
Como é que o Plexicus deteta e corrige o CWE-307?
Onde posso saber mais sobre o CWE-307?
Frequently asked questions
O que é o CWE-307?
This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials.
Qual a gravidade do CWE-307?
A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.
Que linguagens ou plataformas são afetadas pelo CWE-307?
A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.
Como posso prevenir o CWE-307?
Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part. Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Como é que o Plexicus deteta e corrige o CWE-307?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-307 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-307?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/307.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-307
CWE-1390 Pai
Weak Authentication
This vulnerability occurs when a system's login or identity verification process is too easy to bypass or fool. While it attempts to check…
CWE-1391 Irmão
Use of Weak Credentials
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily…
CWE-262 Irmão
Not Using Password Aging
This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely.
CWE-263 Irmão
Password Aging with Long Expiration
The system enforces password changes, but the time allowed between changes is excessively long, weakening security.
CWE-289 Irmão
Authentication Bypass by Alternate Name
This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names…
CWE-290 Irmão
Authentication Bypass by Spoofing
This weakness occurs when an application's authentication system can be tricked into accepting forged or manipulated credentials, allowing…
CWE-294 Irmão
Authentication Bypass by Capture-replay
This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain…
CWE-301 Irmão
Reflection Attack in an Authentication Protocol
A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing…
CWE-302 Irmão
Authentication Bypass by Assumed-Immutable Data
This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can…
Recursos
Further reading
- MITRE — CWE-307 oficial https://cwe.mitre.org/data/definitions/307.html
- OWASP Enterprise Security API (ESAPI) Project https://owasp.org/www-project-enterprise-security-api/
- Weak Password Brings 'Happiness' to Twitter Hacker https://www.wired.com/2009/01/professed-twitt/
- This Black Box Can Brute Force Crack iPhone PIN Passcodes https://www.intego.com/mac-security-blog/iphone-pin-pass-code/
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.