Details
-
Type:
Vulnerability Detection
-
Status: Active
-
Resolution: Unresolved
-
Labels:
-
Message:Make sure infinite authentication attempts are not permitted.
-
Default Severity:Critical
-
Impact:High
-
Likelihood:Low
-
Targeted languages:ABAP, C#, C, C++, Cobol, Flex, Java, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, VB.Net, VB6
-
Remediation Function:Constant/Issue
-
Constant Cost:1h
-
Analysis Scope:Main Sources
-
Common Rule:Yes
-
CWE:CWE-307
-
OWASP:A2
-
SANS Top 25:Porous Defenses
Description
Locking an account which has had too many sequential, failed login attempts within a short time can help resist brute force attacks. This rule raises an issue on authentication code so that such controls can be verified.
Noncompliant Code Example
env.put(Context.SECURITY_PRINCIPAL, principal); env.put(Context.SECURITY_CREDENTIALS, password); DirContext ctx = new InitialDirContext(env); // Noncompliant
See
- OWASP Top 10 2017 Category A2 - Broken Authentication
- MITRE, CWE-307 - Improper Restriction of Excessive Authentication Attempts
- SANS Top 25 - Porous Defenses