Improper Restriction of Excessive Authentication Attempts
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-307: Improper Restriction of Excessive Authentication Attempts |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The account lockout feature is disabled or not properly configured in your authentication logic, allowing unlimited failed login attempts. This makes it easy for attackers to repeatedly guess passwords without being blocked.
Impact#
If exploited, attackers can use automated tools to perform brute-force attacks and potentially compromise user accounts. This can lead to unauthorized access, data breaches, and reputational damage to your application or organization.