Lack of Bruteforce Protection

Description

Lack of bruteforce protection occurs when an application does not implement mechanisms to prevent or detect repeated, automated login attempts. This allows attackers to systematically guess passwords, PINs, verification codes, or access tokens using tools like Hydra, Burp Suite Intruder, or custom scripts.

Without protections such as account lockout, rate limiting, CAPTCHA, or multi-factor authentication (MFA), an attacker can attempt thousands of credential combinations within a short time. This significantly increases the risk of unauthorized access, credential stuffing, and account takeover.

This vulnerability is especially critical when combined with weak password policies or leaked credential reuse, making accounts more susceptible to compromise.

Examples

No Rate Limiting on Login Page

An attacker can send thousands of POST requests to the login endpoint without being blocked or delayed:

POST /login
username=admin&password=guess123

Tools like Burp Intruder or Hydra can brute-force common passwords without detection.

No Account Lockout Mechanism

If an account is never temporarily locked after multiple failed attempts, an attacker can brute-force credentials indefinitely until successful.

PIN Code Bruteforce

For systems using short numeric PINs (e.g., 4-digit), the lack of a delay or retry limit allows an attacker to try all 10,000 combinations in seconds.

No CAPTCHA on Login or Registration

Bots can automatically submit login or registration forms without resistance, aiding automated attacks at scale.

Credential Stuffing

Attackers try large lists of leaked credentials (e.g., from data breaches) against the login endpoint. Without detection or throttling, they can identify valid user/password combinations with ease.

Remediation

  1. Enforce Rate Limiting

    • Limit login attempts per IP or user account to 3–5 per minute
    • Implement progressive delays or backoff mechanisms after each failed attempt

  2. Enable Account Lockout

    • Temporarily lock the account after a threshold of failed attempts (e.g., 5–10)
    • Consider sending alerts to users when their account is locked

  3. Use CAPTCHA or Bot Protection

    • Add CAPTCHA or equivalent bot prevention on login and registration pages after multiple failed attempts or suspicious activity

  4. Implement Multi-Factor Authentication (MFA)

    • Require MFA to reduce the risk of account takeover even if credentials are compromised

  5. Monitor and Alert on Suspicious Login Patterns

    • Detect login attempts from unusual IP addresses or high-volume traffic patterns
    • Use IP reputation and threat intelligence feeds to block known malicious sources

  6. Use Credential Stuffing Detection

    • Identify login attempts using known breached credentials and block or flag them
    • Integrate with services like Have I Been Pwned to check reused passwords

  7. Audit and Log Authentication Events

    • Log all login attempts, failed logins, and account lockouts
    • Review logs regularly for bruteforce patterns