CWE Glossary
- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Join our subscribers
Improper Control of Interaction Frequency [CWE-799]
Improper Control of Interaction Frequency vulnerability described the case where the application does not control the number and frequency of unsuccessful requests allowing brute-force attack.
![Improper Control of Interaction Frequency [CWE-799]](/images/vulnerability/previews/improper-control-of-interaction-frequency-cwe-799.jpg "Improper Control of Interaction Frequency [CWE-799]")
Created: June 11, 2018
Latest Update: December 28, 2020
Table of Content
- Description
- Potential impact
- Attack patterns
- Affected software
- Severity and CVSS Scoring
- Mitigations
- Vulnerability Remediation Techniques and Examples
- References
Want to have an in-depth understanding of all modern aspects of Improper Control of Interaction Frequency [CWE-799]? Read carefully this article and bookmark it to get back later, we regularly update this page.
1. Description
The weakness is caused due to lack of control for number of attempts or requests that are allowed to be sent to the application. A remote attacker can perform a brute-force attack and guess user’s password, session token or cause a denial of service.
2. Potential impact
The vulnerability allows an attacker to brute-force access credentials and gain unauthorized access to the application.
3. Attack patterns
The following attack patterns are associated with this weakness:
- CAPEC-16: Dictionary-based Password Attack
- CAPEC-49: Password Brute Forcing
- CAPEC-70: Try Common or Default Usernames and Passwords
- CAPEC-112: Brute Force
4. Affected software
Software that provides authentication capabilities and does not include protection mechanisms against brute-forcing is prone to this vulnerability.
5. Severity and CVSS Scoring
Exploitation of this vulnerability can be time consuming and its success depends on implemented password policy, strength of users’ credentials, session management. A common CVSSv3 score for this vulnerability is:
4.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L] – Medium
6. Mitigations
This vulnerability can be mitigated with Web Application Firewall (WAF).
Below is an example of ModSecurity configuration to protect WordPress administrative interface by blocking access to the website for the IP address that was suspected in brute-force attack:
SecRule IP:blocked "@eq 1" "phase:1,drop,log,id: 10001001"
<LocationMatch "/wp-login.php">
SecAction "phase:2,chain,nolog,id:10001002"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule ARGS_POST_NAMES "^log$" "chain"
SecRule ARGS_POST_NAMES "^pwd$" "chain"
SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"
SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'IP blocked for %{TX.block_ttl} seconds',id: 10001003"
</LocationMatch>
7. Vulnerability Remediation Techniques and Examples
There are several ways to implement protection against brute-force attacks. For example, you can use CAPTCHA to add additional level of protection against automated brute-force attacks.The best approach would be to count the number of unsuccessful attempts and block the user account when that number reaches a critical value. For example, we would recommend to block access to the account for 30 minutes after 5 unsuccessful attempts.
8. References
- CWE-799: Improper Control of Interaction Frequency [cwe.mitre.org]
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.
↑ Back to Top
