CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts
Description
View on MITRETechnical Details
- Structure
- Simple
- Vulnerability Mapping
- ALLOWED
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Common protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Phase
Description
Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [ REF-45 ]
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
No examples or observed CVEs available for this CWE.
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts?+
CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
What are the security consequences of CWE-307: Improper Restriction of Excessive Authentication Attempts?+
If exploited, CWE-307 (CWE-307: Improper Restriction of Excessive Authentication Attempts) it can compromise Bypass Protection Mechanism, leading to outcomes such as Scope: Access Control An attacker could perform an arbitrary number of authentication attempts using different passwords and and eventually gain access to the targeted account using a brute force attack..
How do you prevent or mitigate CWE-307: Improper Restriction of Excessive Authentication Attempts?+
Recommended mitigations for CWE-307 include: Common protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part. Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [ REF-45 ]
Which programming languages are affected by CWE-307: Improper Restriction of Excessive Authentication Attempts?+
CWE-307 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-307 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.