3. of Spoofing
An attacker could try one credential after another and there’s nothing to slow them down (online or offline).
Threat |
|
Brute forcing a login form until the password matches. They might choose to try the username admin and then, using a dictionary of common passwords, try to guess the right password. |
|
CAPEC |
CAPEC-49 - Password Brute Forcing CAPEC-16 - Dictionary Based Password Attack CAPEC-565 - Password Spraying |
ASVS |
2.2.1 - Ensure you have protections in place against automated attacks and that they are tested |
CWE |
CWE-307 - Improper Restriction of Excessive Authentication Attempts |
Mitigations |
|
|