BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
🔒

Improper Restriction of Excessive Authentication Attempts

🛡️ 5 rules detect this

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

Without a limit on the number of failed authentication attempts, an attacker can systematically guess user credentials through brute-force or dictionary attacks.

Prevalence
High
Frequently exploited
Impact
Medium
Review recommended
Prevention
Documented
5 fix examples
2 Prevention
2 Prevention

How to fix this vulnerability

🐹 Go View all Go details →
Missing Rate Limiting in Chi Router Application MEDIUM

Add rate limiting middleware to Chi auth endpoints using x/time/rate

+17 -5 go 
  package main
  
  import (
      "net/http"
-     "github.com/go-chi/chi/v5"
- )
- 
- func main() {
-     r := chi.NewRouter()
+     "time"
+     "golang.org/x/time/rate"
+     "github.com/go-chi/chi/v5"
+ )
+ 
+ func main() {
+     r := chi.NewRouter()
+     limiter := rate.NewLimiter(rate.Every(time.Second/5), 10)
+     r.Use(func(next http.Handler) http.Handler {
+         return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+             if !limiter.Allow() {
+                 http.Error(w, "Rate limit exceeded", 429)
+                 return
+             }
+             next.ServeHTTP(w, r)
+         })
+     })
      r.Post("/login", loginHandler)
      http.ListenAndServe(":8080", r)
  }
Missing Rate Limiting in Echo Application MEDIUM

Add rate limiting middleware to prevent brute force attacks on Echo auth endpoints

+14 -5 go 
  package main
  
- import "github.com/labstack/echo/v4"
- 
- func main() {
-     e := echo.New()
-     e.POST("/login", loginHandler)
+ import (
+     "time"
+     "github.com/labstack/echo/v4"
+     "github.com/ulule/limiter/v3"
+     mecho "github.com/ulule/limiter/v3/drivers/middleware/echo"
+     "github.com/ulule/limiter/v3/drivers/store/memory"
+ )
+ 
+ func main() {
+     e := echo.New()
+     rate := limiter.Rate{Period: time.Minute, Limit: 10}
+     store := memory.NewStore()
+     mw := mecho.NewMiddleware(limiter.New(store, rate))
+     e.POST("/login", loginHandler, mw)
      e.Start(":8080")
  }
Missing Rate Limiting in Fiber Application MEDIUM

Add Fiber limiter middleware to prevent brute force attacks on auth endpoints

+12 -4 go 
  package main
  
- import "github.com/gofiber/fiber/v2"
- 
- func main() {
-     app := fiber.New()
+ import (
+     "time"
+     "github.com/gofiber/fiber/v2"
+     "github.com/gofiber/fiber/v2/middleware/limiter"
+ )
+ 
+ func main() {
+     app := fiber.New()
+     app.Use(limiter.New(limiter.Config{
+         Max:        10,
+         Expiration: time.Minute,
+     }))
      app.Post("/login", loginHandler)
      app.Listen(":3000")
  }
4 Warning Signs
4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Improper Restriction of Excessive Authentication Attempts vulnerabilities. Look for these during code reviews and security audits.

🟡
... ... lacks rate limiting protection go-chi-rate-limiting
🔍

Scan your codebase for Improper Restriction of Excessive Authentication Attempts

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules