330 – Lack of protection against brute force attacks - Credentials

Description

The application has no protection against automated attacks to guess valid promotional codes.

Impact

Increase the chances of getting valid credentials.

Recommendation

Implement a control to prevent this type of attack and to ensure that the function is not executed by a robot. E.g. captcha, blocking by delay in the number of failed attempts, among others.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

10 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 237 - Ascertain human interaction
• 327 - Set a rate limit

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19