CWE-307 (Improper Restriction of Excessive Authentication Attempts) is a common software weakness type identified by the CWE (Common Weakness Enumeration) dictionary. It helps developers understand security flaws and how to mitigate them.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (the root cause), while CVE refers to a specific instance of a vulnerability in a particular product or system.

CWE-307

Improper Restriction of Excessive Authentication Attempts

Weakness Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Potential Mitigations

Architecture and Design

Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part.

Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]

Common Consequences

Access Control

Bypass Protection Mechanism

An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.

Detection Methods

Dynamic Analysis with Automated Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Web Application Scanner Web Services Scanner Database Scanners ``` Cost effective for partial coverage: ``` Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria

Effectiveness: High

Dynamic Analysis with Manual Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Fuzz Tester Framework-based Fuzzer ``` Cost effective for partial coverage: ``` Forced Path Execution

Effectiveness: High

Manual Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)

Effectiveness: High

Automated Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer

Effectiveness: SOAR Partial

Automated Static Analysis

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Configuration Checker

Effectiveness: SOAR Partial

Architecture or Design Review

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Effectiveness: High

Related Weaknesses

CWE-1390 CWE-287 CWE-799

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Contact Us

Get in touch for collaboration

Homepage

Explore more security resources