Description
View on MITRECommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [ REF-45 ]
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
No relationship information available for this CWE.
CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-307 (CWE-307: Improper Restriction of Excessive Authentication Attempts) it can compromise Bypass Protection Mechanism, leading to outcomes such as Scope: Access Control An attacker could perform an arbitrary number of authentication attempts using different passwords and and eventually gain access to the targeted account using a brute force attack..
Recommended mitigations for CWE-307 include: Common protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part. Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [ REF-45 ]
CWE-307 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-307 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.