# Improper Restriction of Excessive Authentication Attempts (CWE-307) The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. - Prevalence: 高 頻繁に悪用される - Impact: ミディアム レビュー推奨 - Prevention: 文書化済み 5 件の修正例 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description Without a limit on the number of failed authentication attempts, an attacker can systematically guess user credentials through brute-force or dictionary attacks. ## Prevention ### Go Add rate limiting middleware to Chi auth endpoints using x/time/rate Add rate limiting middleware to prevent brute force attacks on Echo auth endpoints Add Fiber limiter middleware to prevent brute force attacks on auth endpoints ## Warning Signs - [MEDIUM] ... ... lacks rate limiting protection ## Consequences - 権限の取得 - 保護メカニズムの回避 ## Mitigations - 複数回の認証失敗後にアカウントをロックするポリシーを実装する - 認証失敗後は段階的な遅延または CAPTCHA を使用する - 通常と異なる認証パターンを監視し、アラートを出す ## Detection - Total rules: 5 - Languages: go ## Rules by Language ### Go (5 rules) - **Missing Rate Limiting in Chi Router Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Echo Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Fiber Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Gin Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Gorilla Mux Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks.