[RSPEC-2614] Authentication attempts should be limited in number - SonarSource

Details

Type: Vulnerability Detection
Status: Active
Resolution: Unresolved
Labels:

Message:
Make sure infinite authentication attempts are not permitted.
Default Severity:
Critical
Impact:
High
Likelihood:
Low
Targeted languages:

ABAP, C#, C, C++, Cobol, Flex, Java, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, VB.Net, VB6
Remediation Function:
Constant/Issue
Constant Cost:
1h
Analysis Scope:

Main Sources
Common Rule:

Yes

CWE:
CWE-307
OWASP:
A2
SANS Top 25:
Porous Defenses

Description

Locking an account which has had too many sequential, failed login attempts within a short time can help resist brute force attacks. This rule raises an issue on authentication code so that such controls can be verified.

Noncompliant Code Example

env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, password);

DirContext ctx = new InitialDirContext(env);  // Noncompliant

See

OWASP Top 10 2017 Category A2 - Broken Authentication
MITRE, CWE-307 - Improper Restriction of Excessive Authentication Attempts
SANS Top 25 - Porous Defenses

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Ann Campbell

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

16/Feb/15 8:38 PM

Updated:

07/May/19 10:05 AM