Authentication / No Lockout Information

Description

No lockout information is an authentication vulnerability, identified as CWE-307 in the Common Weakness Enumeration, that occurs when a system does not track failed login attempts as part of authentication. This vulnerability can result in an attacker being able to guess passwords without ever having their access be locked. According to the OWASP Testing Guide, it is important to detect and prevent this vulnerability as it can result in an attacker being able to gain access to a system or a user account without the system's knowledge.

Risk

The risk associated with the No lockout information vulnerability is high. Not tracking failed login attempts can result in an attacker being able to easily gain access to an account or system without the system detecting it. This can result in an attacker being able to gain access to confidential information or data, as well as changing or modifying the system in whatever way they choose.

Solution

The best solution to the No lockout information vulnerability is to implement an account lockout policy. This policy should limit the number of failed login attempts for a given account before it is locked out. This way, if an attacker is attempting to guess a user's password, the account will be locked out after a certain number of failed attempts, thus preventing the attacker from being able to gain access to the system.

Example

The following example of code shows how an account lockout policy can be implemented in a Web or API system:

if (login_attempts > max_attempts) 
  account_lockout();

This code checks to see if the number of login attempts is greater than the maximum number of attempts allowed. If it is, then the account lockout function is called, thus preventing the attacker from being able to gain access to the system.