CWE-307 Base Draft

Improper Restriction of Excessive Authentication Attempts

This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically…

Definition

What is CWE-307?

Without controls like account lockouts, rate limiting, or increasing time delays after failures, automated tools can make thousands of login attempts per minute. This makes brute-force and credential stuffing attacks highly effective, as attackers can try common passwords or leaked credentials until they succeed. Implementing these restrictions is a fundamental security control for any authentication system. Detecting and enforcing consistent authentication policies across all your services and APIs can be challenging. While SAST and DAST tools can identify missing protections, an ASPM like Plexicus helps by continuously monitoring your entire application stack for these misconfigurations and using AI to generate specific remediation guidance, streamlining the fix process.

Vulnerability Diagram CWE-307

Real-world impact

Real-world CVEs caused by CWE-307

CVE-2019-0039

the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing
CVE-1999-1152

Product does not disconnect or timeout after multiple failed logins.
CVE-2001-1291

Product does not disconnect or timeout after multiple failed logins.
CVE-2001-0395

Product does not disconnect or timeout after multiple failed logins.
CVE-2001-1339

Product does not disconnect or timeout after multiple failed logins.
CVE-2002-0628

Product does not disconnect or timeout after multiple failed logins.
CVE-1999-1324

User accounts not disabled when they exceed a threshold; possibly a resultant problem.

How attackers exploit it

Step-by-step attacker path

1
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.
2
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
3
However, the software makes no attempt to restrict excessive authentication attempts.
4
This code attempts to limit the number of login attempts by causing the process to sleep before completing the authentication.
5
However, there is no limit on parallel connections, so this does not increase the amount of time an attacker needs to complete an attack.

Vulnerable code example

Vulnerable Java

The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.

Vulnerable Java

String username = request.getParameter("username");
  String password = request.getParameter("password");
  int authResult = authenticateUser(username, password);

Secure code example

Secure C

The validateUser method will continuously check for a valid username and password without any restriction on the number of authentication attempts made. The method should limit the number of authentication attempts made to prevent brute force attacks as in the following example code.

Secure C

int validateUser(char *host, int port)
  {
  		...
  		int count = 0;
  		while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) {
  				if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {
  					if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {
  						isValidUser = AuthenticateUser(username, password);
  					}
  				}
  				count++;
  		}
  		if (isValidUser) {
  			return(SUCCESS);
  		}
  		else {
  			return(FAIL);
  		}
  }

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-307

Architecture and Design Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part.
Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]

Detection signals

How to detect CWE-307

Dynamic Analysis with Automated Results Interpretation High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Web Application Scanner Web Services Scanner Database Scanners ``` Cost effective for partial coverage: ``` Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria

Dynamic Analysis with Manual Results Interpretation High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Fuzz Tester Framework-based Fuzzer ``` Cost effective for partial coverage: ``` Forced Path Execution

Manual Static Analysis - Source Code High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)

Automated Static Analysis - Source Code SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer

Automated Static Analysis SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Configuration Checker

Architecture or Design Review High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-307 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-307?

How serious is CWE-307?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-307?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-307?

Common protection mechanisms include: - Disconnecting the user after a small number of failed attempts - Implementing a timeout - Locking out a targeted account - Requiring a computational task on the user's part. Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]

How does Plexicus detect and fix CWE-307?

Plexicus's SAST engine matches the data-flow signature for CWE-307 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-307?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/307.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-307

CWE-1390 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Improper Restriction of Excessive Authentication Attempts

What is CWE-307?

Real-world CVEs caused by CWE-307

Step-by-step attacker path

Vulnerable Java

Secure C

How to prevent CWE-307

How to detect CWE-307

Plexicus auto-detects CWE-307 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-307

Weak Authentication

Use of Weak Credentials

Not Using Password Aging

Password Aging with Long Expiration

Authentication Bypass by Alternate Name

Authentication Bypass by Spoofing

Authentication Bypass by Capture-replay

Reflection Attack in an Authentication Protocol

Authentication Bypass by Assumed-Immutable Data

Further reading

Don't Let Security
Weigh You Down.

Improper Restriction of Excessive Authentication Attempts

What is CWE-307?

Real-world CVEs caused by CWE-307

Step-by-step attacker path

Vulnerable Java

Secure C

How to prevent CWE-307

How to detect CWE-307

Plexicus auto-detects CWE-307 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-307

Weak Authentication

Use of Weak Credentials

Not Using Password Aging

Password Aging with Long Expiration

Authentication Bypass by Alternate Name

Authentication Bypass by Spoofing

Authentication Bypass by Capture-replay

Reflection Attack in an Authentication Protocol

Authentication Bypass by Assumed-Immutable Data

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.