# Improper Restriction of Excessive Authentication Attempts (CWE-307) The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. - Prevalence: 높음 자주 악용됨 - Impact: 보통 검토 권장 - Prevention: 문서화됨 5개의 수정 예시 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description Without a limit on the number of failed authentication attempts, an attacker can systematically guess user credentials through brute-force or dictionary attacks. ## Prevention ### Go Add rate limiting middleware to Chi auth endpoints using x/time/rate Add rate limiting middleware to prevent brute force attacks on Echo auth endpoints Add Fiber limiter middleware to prevent brute force attacks on auth endpoints ## Warning Signs - [MEDIUM] ... ... lacks rate limiting protection ## Consequences - 권한 획득 - 보호 메커니즘 우회 ## Mitigations - 여러 번 실패 후 계정을 잠그는 정책을 구현하세요 - 실패한 시도 이후에는 점진적 지연이나 CAPTCHA를 사용하세요 - 비정상적인 인증 패턴을 모니터링하고 알림을 받으세요 ## Detection - Total rules: 5 - Languages: go ## Rules by Language ### Go (5 rules) - **Missing Rate Limiting in Chi Router Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Echo Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Fiber Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Gin Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks. - **Missing Rate Limiting in Gorilla Mux Application** [MEDIUM]: Authentication endpoints lack rate limiting protection. - Remediation: Add rate limiting middleware to prevent brute force and DoS attacks.