CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Application security insights and invitations to exclusive events in your inbox

Your data will stay confidential Private and Confidential

Improper Control of Interaction Frequency [CWE-799]

Improper Control of Interaction Frequency vulnerability described the case where the application does not control the number and frequency of unsuccessful requests allowing brute-force attack.

Improper Control of Interaction Frequency [CWE-799]

Created: June 11, 2018
Latest Update: January 10, 2019

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

1. Description

The weakness is caused due to lack of control for number of attempts or requests that are allowed to be sent to the application. A remote attacker can perform a brute-force attack and guess user’s password, session token or cause a denial of service.

2. Potential impact

The vulnerability allows an attacker to brute-force access credentials and gain unauthorized access to the application.

Detect Improper Control of Interaction Frequency Now
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

3. Attack patterns

The following attack patterns are associated with this weakness:

4. Affected software

Software that provides authentication capabilities and does not include protection mechanisms against brute-forcing is prone to this vulnerability.

5. Severity and CVSS Scoring

Exploitation of this vulnerability can be time consuming and its success depends on implemented password policy, strength of users’ credentials, session management. A common CVSSv3 score for this vulnerability is:
4.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L] – Medium

6. Mitigations

This vulnerability can be mitigated with Web Application Firewall (WAF).

Below is an example of ModSecurity configuration to protect WordPress administrative interface by blocking access to the website for the IP address that was suspected in brute-force attack:

SecAction "phase:1,pass,setvar:TX.max_requests=11,setvar:TX.requests_ttl=180, setvar:TX.block_ttl=900,initcol:ip=%{REMOTE_ADDR},nolog,id: 10001000"

SecRule IP:blocked "@eq 1" "phase:1,drop,log,id: 10001001"

<LocationMatch "/wp-login.php">
SecAction "phase:2,chain,nolog,id:10001002"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule ARGS_POST_NAMES "^log$" "chain"
SecRule ARGS_POST_NAMES "^pwd$" "chain"
SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"

SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'IP blocked for %{TX.block_ttl} seconds',id: 10001003"

7. Vulnerability Remediation Techniques and Examples

There are several ways to implement protection against brute-force attacks. For example, you can use CAPTCHA to add additional level of protection against automated brute-force attacks.

The best approach would be to count the number of unsuccessful attempts and block the user account when that number reaches a critical value. For example, we would recommend to block access to the account for 30 minutes after 5 unsuccessful attempts.

8. References

  1. CWE-799: Improper Control of Interaction Frequency []

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Quick Start
Free Trial