|Name ||Inducing Account Lockout |
|Summary ||An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks. |
|Prerequisites ||The system has a lockout mechanism.
An attacker must be able to reproduce behavior that would result in an account being locked. |
|Solutions ||Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
When implementing security features, consider how they can be misused and made to turn on themselves. |
|CWE ID ||Description |
|CWE-400 ||Uncontrolled Resource Consumption ('Resource Exhaustion') |