Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-799:Improper Control of Interaction Frequency
Weakness ID:799
Version:v4.17
Weakness Name:Improper Control of Interaction Frequency
Vulnerability Mapping:Allowed-with-Review
Abstraction:Class
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

▼Extended Description

This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.

▼Alternate Terms
Insufficient anti-automation

The term "insufficient anti-automation" focuses primarly on non-human actors such as viruses or bots, but the scope of this CWE entry is broader.

Brute force

Vulnerabilities that can be targeted using brute force attacks are often symptomatic of this weakness.

▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedP691Insufficient Control Flow Management
ParentOfAllowedB307Improper Restriction of Excessive Authentication Attempts
ParentOfAllowedB837Improper Enforcement of a Single, Unique Action
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 691
Name: Insufficient Control Flow Management
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 307
Name: Improper Restriction of Excessive Authentication Attempts
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 837
Name: Improper Enforcement of a Single, Unique Action
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC8082010 Top 25 - Weaknesses On the Cusp
MemberOfProhibitedC1348OWASP Top Ten 2021 Category A04:2021 - Insecure Design
MemberOfProhibitedC1410Comprehensive Categorization: Insufficient Control Flow Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 808
Name: 2010 Top 25 - Weaknesses On the Cusp
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1348
Name: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1410
Name: Comprehensive Categorization: Insufficient Control Flow Management
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-312Other (impact)
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
MemberOfProhibitedBSBOSS-333DoS: Resource Consumption (Other) (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-312
Name: Other (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-333
Name: DoS: Resource Consumption (Other) (impact)
▼Relevant To View
Relevant to the view"OWASP Top Ten (2021) - (1344)"
NatureMappingTypeIDName
MemberOfProhibitedC1348OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1348
Name: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
AvailabilityAccess ControlOtherN/ADoS: Resource Consumption (Other)Bypass Protection MechanismOther
N/A
Scope: Availability, Access Control, Other
Likelihood: N/A
Impact: DoS: Resource Consumption (Other), Bypass Protection Mechanism, Other
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

Phase: Operation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In the following code a username and password is read from a socket and an attempt is made to authenticate the username and password. The code will continuously checked the socket for a username and password until it has been authenticated.

Language: ( code)
N/A

Language: C(Bad code)
char username[USERNAME_SIZE]; char password[PASSWORD_SIZE]; while (isValidUser == 0) { if (getNextMessage(socket, username, USERNAME_SIZE) > 0) { if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) { isValidUser = AuthenticateUser(username, password); } } } return(SUCCESS);

Language: ( code)
N/A

This code does not place any restriction on the number of authentication attempts made. There should be a limit on the number of authentication attempts made to prevent brute force attacks as in the following example code.

Language: C(Good code)
int count = 0; while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) { if (getNextMessage(socket, username, USERNAME_SIZE) > 0) { if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) { isValidUser = AuthenticateUser(username, password); } } count++; } if (isValidUser) { return(SUCCESS); } else { return(FAIL); }

▼Observed Examples
ReferenceDescription
CVE-2002-1876
Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests.
Reference: CVE-2002-1876
Description:
Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Primary
      N/A
      Ordinality: Primary
      Description:
      N/A
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed-with-Review
      Reason:Abstraction
      Rationale:

      This CWE entry is a Class and might have Base-level children that would be more appropriate

      Comments:

      Examine children of this entry to see if there is a better fit

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      WASC21N/AInsufficient Anti-Automation
      Taxonomy Name: WASC
      Entry ID: 21
      Fit: N/A
      Entry Name: Insufficient Anti-Automation
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-731
      Title: Insufficient Anti-automation
      Author: Web Application Security Consortium
      Section:
      Publication:
      Publisher:
      Edition:
      URL:http://projects.webappsec.org/Insufficient+Anti-automation
      URL Date:
      Day:N/A
      Month:N/A
      Year:N/A
      Details not found