Improper Restriction of Excessive Authentication Attempts (CWE-307)

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

Without a limit on the number of failed authentication attempts, an attacker can systematically guess user credentials through brute-force or dictionary attacks.

普及度

高

頻繁に悪用される

影響度

ミディアム

レビュー推奨

予防

文書化済み

5 件の修正例

2 予防

この脆弱性の修正方法

🐹 Go すべて表示 Go 詳細 →

Missing Rate Limiting in Chi Router Application MEDIUM

Add rate limiting middleware to Chi auth endpoints using x/time/rate

+17 -5 go

  package main
  
  import (
      "net/http"
-     "github.com/go-chi/chi/v5"
- )
- 
- func main() {
-     r := chi.NewRouter()
+     "time"
+     "golang.org/x/time/rate"
+     "github.com/go-chi/chi/v5"
+ )
+ 
+ func main() {
+     r := chi.NewRouter()
+     limiter := rate.NewLimiter(rate.Every(time.Second/5), 10)
+     r.Use(func(next http.Handler) http.Handler {
+         return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+             if !limiter.Allow() {
+                 http.Error(w, "Rate limit exceeded", 429)
+                 return
+             }
+             next.ServeHTTP(w, r)
+         })
+     })
      r.Post("/login", loginHandler)
      http.ListenAndServe(":8080", r)
  }

Missing Rate Limiting in Echo Application MEDIUM

Add rate limiting middleware to prevent brute force attacks on Echo auth endpoints

+14 -5 go

  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/login", loginHandler)
+ import (
+     "time"
+     "github.com/labstack/echo/v4"
+     "github.com/ulule/limiter/v3"
+     mecho "github.com/ulule/limiter/v3/drivers/middleware/echo"
+     "github.com/ulule/limiter/v3/drivers/store/memory"
+ )
+ 
+ func main() {
+     e := echo.New()
+     rate := limiter.Rate{Period: time.Minute, Limit: 10}
+     store := memory.NewStore()
+     mw := mecho.NewMiddleware(limiter.New(store, rate))
+     e.POST("/login", loginHandler, mw)
      e.Start(":8080")
  }

Missing Rate Limiting in Fiber Application MEDIUM

Add Fiber limiter middleware to prevent brute force attacks on auth endpoints

+12 -4 go

  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
+ import (
+     "time"
+     "github.com/gofiber/fiber/v2"
+     "github.com/gofiber/fiber/v2/middleware/limiter"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     app.Use(limiter.New(limiter.Config{
+         Max:        10,
+         Expiration: time.Minute,
+     }))
      app.Post("/login", loginHandler)
      app.Listen(":3000")
  }

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのImproper Restriction of Excessive Authentication Attemptsパターンをスキャンしましょう。 5 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=307

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (5)

🐹 Go 5 rules

Missing Rate Limiting in Chi Router Application MEDIUM

Authentication endpoints lack rate limiting protection.

Missing Rate Limiting in Echo Application MEDIUM

Authentication endpoints lack rate limiting protection.

Missing Rate Limiting in Fiber Application MEDIUM

Authentication endpoints lack rate limiting protection.

Missing Rate Limiting in Gin Application MEDIUM

Authentication endpoints lack rate limiting protection.

Missing Rate Limiting in Gorilla Mux Application MEDIUM

Authentication endpoints lack rate limiting protection.

4 警告サイン

コードレビューで注目すべき点

これらのパターンはImproper Restriction of Excessive Authentication Attemptsの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟡

... ... lacks rate limiting protection go-chi-rate-limiting

🔍

コードベースをスキャン: Improper Restriction of Excessive Authentication Attempts

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示