CWE-307 Improper Restriction of Excessive Authentication Attempts

Description

Improper Restriction of Excessive Authentication Attempts

Reference: https://cwe.mitre.org/data/definitions/307.html

OWASP Category: A07:2021 – Identification and Authentication Failures

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: No brute force protection
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest req) {
    if (authService.authenticate(req.getUsername(), req.getPassword())) {
        return ResponseEntity.ok(tokenService.generate(req.getUsername()));
    }
    return ResponseEntity.status(401).body("Invalid credentials");
}

Why it's vulnerable: This pattern is vulnerable to Improper Restriction of Excessive Authentication Attempts

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Rate limiting and account lockout
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest req, HttpServletRequest request) {
    String ip = request.getRemoteAddr();
    if (rateLimiter.isBlocked(ip)) {
        return ResponseEntity.status(429).body("Too many attempts. Try later.");
    }
    if (accountLockoutService.isLocked(req.getUsername())) {
        return ResponseEntity.status(423).body("Account locked");
    }
    if (authService.authenticate(req.getUsername(), req.getPassword())) {
        accountLockoutService.resetFailedAttempts(req.getUsername());
        return ResponseEntity.ok(tokenService.generate(req.getUsername()));
    }
    accountLockoutService.recordFailedAttempt(req.getUsername());
    rateLimiter.recordAttempt(ip);
    return ResponseEntity.status(401).body("Invalid credentials");
}

Why it's secure: Implements proper protection against Improper Restriction of Excessive Authentication Attempts

---

Detection Pattern

Look for these patterns in your codebase:

# Find login endpoints
grep -rn "login\\|authenticate" --include="*Controller.java"

---

Remediation Steps

1. Implement rate limiting per IP address

2. Lock accounts after N failed attempts

3. Add CAPTCHA after multiple failures

4. Implement exponential backoff

---

Key Imports

import javax.servlet.http.HttpServletRequest;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-307 vulnerability
Resolve Improper Restriction of Excessive Authentication Attempts issue
Secure this Java code against improper restriction of excessive authentication attempts
SAST reports CWE-307

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-307: Excessive Authentication Attempts

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07