Sar writingv2
-
Upload
todd-benson -
Category
Technology
-
view
41 -
download
0
Transcript of Sar writingv2
Lack of Brute Force Protection on Change
Password Page
The change password function did not enforce
account lockout. After performing ten (10) invalid
login attempts, the application allowed the user
to login with valid credentials.
Without enforcing account lockout, it would be
possible for an attacker to launch ongoing
password guessing attacks against the web
application.
Framework Safeguard: AC-7
Moderate (CVSS=6.2). An attack requires
publicly available tools, authenticated
access to the application and a moderate
amount of time, depending on password
strength.
A successful brute force password exploit
could allow an attacker to guess the
password of a compromised account. This
would allow the attacker to return later,
using the known password, or could allow
the attacker to compromise the user’s other
accounts.
Configure the application to lock
accounts for 30 minutes after 10
consecutive invalid authentication
attempts.
National IT Security Password Policy