CVS_00183.009 - AppSec Flow: Vulnerabilidade - Authentication without Brute force protection

[conviso-platform-dev]

ID: CVS_00183.009

Categoria: CWE-592: Authentication Bypass Issues

Reportado por: Tiago Cassio da Conceição

Projeto: tiagocassio/tasks_app

Criticidade:

Impacto: Alto

Probabilidade: Baixo

Criticidade: Médio

Padrões: [2013] A2 – Broken Authentication and Session Management, N/A

Descrição: This authentication system don't have protection by brute force, authentication plays a critical role in the security of web applications. When a user provides his login name and password to authenticate and prove his identity, the application assigns the user specific privileges to the system, based on the identity established by the supplied credentials.
Brute force is a method for guessing a password that involves systematically trying all possible combinations of characters until the correct one is found. This could take a very long time, so one alternative is to use a dictionary attack, although this only works if someone has used an everyday word as a password – rather than using a combination of letters, numbers and non-alpha-numeric characters.

Descrição do Impacto: Aguardando preenchimento

Solução: An important measure in stopping automated brute-force authentication attacks is by adding random content on the page presented to the authenticating client browser. Another solution is to lock out an IP address with multiple failed logins.

Referência: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts

Tipo de falha:

**Protocolo:**http

**Método:**GET

**URL:**http://localhost

Parametros:

teste

Passo a Passo:

teste

**Requisição:**teste

**Resposta:**teste

Defect Tracker: https://app.conviso.com.br/scopes/11/projects/3921