High Severity
🟠 Insufficient Brute Force Protection
🧠 Description
Application lacks adequate protection against brute force attacks. Attackers can make unlimited login attempts to guess valid credentials or password reset tokens.
Impact: Account Takeover, Credential Stuffing, Password Spraying
🎯 Attack Surface
- Login endpoints
- Password reset flows
- OTP verification
- 2FA submission
- API authentication
⚡ Bypass Techniques
Use different IP per attempt
Rotate User-Agent header
Use proxy chains
Slow down timing (2-3 sec)
Target inactive accounts
Use credential stuffing lists
🛡️ Mitigation
✅ Implement account lockout after 5 failed attempts
✅ Use CAPTCHA after 3 failed attempts
✅ Implement progressive delays
✅ Monitor and alert on unusual login patterns
✅ Use MFA for sensitive accounts
✅ Use CAPTCHA after 3 failed attempts
✅ Implement progressive delays
✅ Monitor and alert on unusual login patterns
✅ Use MFA for sensitive accounts