CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Improper Control of Interaction Frequency [CWE-799]

This vulnerability described the case where the application does not control the number and frequency of unsuccessful requests allowing brute-force attack.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

1. Description

The weakness is caused due to lack of control for number of attempts or requests that are allowed to be sent to the application. A remote attacker can perform a brute-force attack and guess user’s password, session token or cause a denial of service.

2. Potential impact

The vulnerability allows an attacker to brute-force access credentials and gain unauthorized access to the application.

3. Attack patterns

The following attack patterns are associated with this weakness:

4. Affected software

Software that provides authentication capabilities and does not include protection mechanisms against brute-forcing is prone to this vulnerability.

5. Severity and CVSS Scoring

Exploitation of this vulnerability can be time consuming and its success depends on implemented password policy, strength of users’ credentials, session management. A common CVSSv3 score for this vulnerability is:
4.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L] – Medium

6. Mitigations

This vulnerability can be mitigated with Web Application Firewall (WAF).

Below is an example of ModSecurity configuration to protect WordPress administrative interface by blocking access to the website for the IP address that was suspected in brute-force attack:

SecAction "phase:1,pass,setvar:TX.max_requests=11,setvar:TX.requests_ttl=180, setvar:TX.block_ttl=900,initcol:ip=%{REMOTE_ADDR},nolog,id: 10001000"

SecRule IP:blocked "@eq 1" "phase:1,drop,log,id: 10001001"

<LocationMatch "/wp-login.php">
SecAction "phase:2,chain,nolog,id:10001002"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule ARGS_POST_NAMES "^log$" "chain"
SecRule ARGS_POST_NAMES "^pwd$" "chain"
SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"

SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'IP blocked for %{TX.block_ttl} seconds',id: 10001003"
</LocationMatch>

7. Vulnerability Remediation Techniques and Examples

There are several ways to implement protection against brute-force attacks. For example, you can use CAPTCHA to add additional level of protection against automated brute-force attacks.

The best approach would be to count the number of unsuccessful attempts and block the user account when that number reaches a critical value. For example, we would recommend to block access to the account for 30 minutes after 5 unsuccessful attempts.

8. References

  1. CWE-799: Improper Control of Interaction Frequency [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk