베타 Shoulder는 베타 버전입니다 — 결과가 가끔 잘못될 수 있습니다. 여러분의 피드백이 다음에 무엇을 고칠지 결정합니다. 피드백 공유
Shoulder.dev

개발자를 위한 위협 인텔리전스
🔒

Improper Restriction of Excessive Authentication Attempts

🛡️ 5 개의 규칙이 이를 탐지합니다

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

Without a limit on the number of failed authentication attempts, an attacker can systematically guess user credentials through brute-force or dictionary attacks.

보급률
높음
자주 악용됨
영향
보통
검토 권장
예방
문서화됨
5개의 수정 예시
2 예방
2 예방

이 취약점을 수정하는 방법

🐹 Go 모두 보기 Go 자세히 →
Missing Rate Limiting in Chi Router Application MEDIUM

Add rate limiting middleware to Chi auth endpoints using x/time/rate

+17 -5 go 
  package main
  
  import (
      "net/http"
-     "github.com/go-chi/chi/v5"
- )
- 
- func main() {
-     r := chi.NewRouter()
+     "time"
+     "golang.org/x/time/rate"
+     "github.com/go-chi/chi/v5"
+ )
+ 
+ func main() {
+     r := chi.NewRouter()
+     limiter := rate.NewLimiter(rate.Every(time.Second/5), 10)
+     r.Use(func(next http.Handler) http.Handler {
+         return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+             if !limiter.Allow() {
+                 http.Error(w, "Rate limit exceeded", 429)
+                 return
+             }
+             next.ServeHTTP(w, r)
+         })
+     })
      r.Post("/login", loginHandler)
      http.ListenAndServe(":8080", r)
  }
Missing Rate Limiting in Echo Application MEDIUM

Add rate limiting middleware to prevent brute force attacks on Echo auth endpoints

+14 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/login", loginHandler)
+ import (
+     "time"
+     "github.com/labstack/echo/v4"
+     "github.com/ulule/limiter/v3"
+     mecho "github.com/ulule/limiter/v3/drivers/middleware/echo"
+     "github.com/ulule/limiter/v3/drivers/store/memory"
+ )
+ 
+ func main() {
+     e := echo.New()
+     rate := limiter.Rate{Period: time.Minute, Limit: 10}
+     store := memory.NewStore()
+     mw := mecho.NewMiddleware(limiter.New(store, rate))
+     e.POST("/login", loginHandler, mw)
      e.Start(":8080")
  }
Missing Rate Limiting in Fiber Application MEDIUM

Add Fiber limiter middleware to prevent brute force attacks on auth endpoints

+12 -4 go 
  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
+ import (
+     "time"
+     "github.com/gofiber/fiber/v2"
+     "github.com/gofiber/fiber/v2/middleware/limiter"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     app.Use(limiter.New(limiter.Config{
+         Max:        10,
+         Expiration: time.Minute,
+     }))
      app.Post("/login", loginHandler)
      app.Listen(":3000")
  }
4 경고 신호
4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Improper Restriction of Excessive Authentication Attempts 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟡
... ... lacks rate limiting protection go-chi-rate-limiting
🔍

코드베이스를 스캔하세요: Improper Restriction of Excessive Authentication Attempts

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기