In view of COVID-19 precaution measures, we remind you that ImmuniWeb Platform allows to easily configure and safely buy online all available solutions in a few clicks.

Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Improper Control of Interaction Frequency [CWE-799]

Improper Control of Interaction Frequency vulnerability described the case where the application does not control the number and frequency of unsuccessful requests allowing brute-force attack.

Improper Control of Interaction Frequency [CWE-799]

Created: June 11, 2018
Latest Update: July 29, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

Want to have an in-depth understanding of all modern aspects of
Improper Control of Interaction Frequency [CWE-799]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

The weakness is caused due to lack of control for number of attempts or requests that are allowed to be sent to the application. A remote attacker can perform a brute-force attack and guess user’s password, session token or cause a denial of service.

2. Potential impact

The vulnerability allows an attacker to brute-force access credentials and gain unauthorized access to the application.

How to Detect Improper Control of Interaction Frequency Vulnerabilities
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

3. Attack patterns

The following attack patterns are associated with this weakness:

4. Affected software

Software that provides authentication capabilities and does not include protection mechanisms against brute-forcing is prone to this vulnerability.

5. Severity and CVSS Scoring

Exploitation of this vulnerability can be time consuming and its success depends on implemented password policy, strength of users’ credentials, session management. A common CVSSv3 score for this vulnerability is:
4.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L] – Medium

6. Mitigations

This vulnerability can be mitigated with Web Application Firewall (WAF).

Below is an example of ModSecurity configuration to protect WordPress administrative interface by blocking access to the website for the IP address that was suspected in brute-force attack:

SecAction "phase:1,pass,setvar:TX.max_requests=11,setvar:TX.requests_ttl=180, setvar:TX.block_ttl=900,initcol:ip=%{REMOTE_ADDR},nolog,id: 10001000"

SecRule IP:blocked "@eq 1" "phase:1,drop,log,id: 10001001"

<LocationMatch "/wp-login.php">
SecAction "phase:2,chain,nolog,id:10001002"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule ARGS_POST_NAMES "^log$" "chain"
SecRule ARGS_POST_NAMES "^pwd$" "chain"
SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"

SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'IP blocked for %{TX.block_ttl} seconds',id: 10001003"
</LocationMatch>

7. Vulnerability Remediation Techniques and Examples

There are several ways to implement protection against brute-force attacks. For example, you can use CAPTCHA to add additional level of protection against automated brute-force attacks.

The best approach would be to count the number of unsuccessful attempts and block the user account when that number reaches a critical value. For example, we would recommend to block access to the account for 30 minutes after 5 unsuccessful attempts.

8. References

  1. CWE-799: Improper Control of Interaction Frequency [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
How it Works Ask a Question