Lack of Account Lockout


Description

The application does not lock out user accounts after multiple login attempts. This allows an attacker to conduct dictionary and brute force attacks against user accounts to try and gain unauthorized access. After repeated failed login attempts, it was possible to login to the application.

Custom Description

Impact

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

Leave a Reply