Client using Burp Suite to Test for the OWASP Top TenD iscovered by OWSAP BCVSS: 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N against Identity Portal User Console port 8081
Description:
Some insecure configurations allow attackers to identify consultation requests which provide different responses to certain actions carried out, without limiting the number of times in which the same request or time in which it is in force.
Petitions that do not restrict the number of times they are used, nor do they have a correct expiration could allow an attacker to degenerate the service of the application.
Environment Gray Box
Recommendation:
It is recommended that you design and configure your application to be responsive.
equivalent way regardless of whether the user identifier exists in the application or not, so that the answers are generic and not offer information about the existence of users on the platform.
It is necessary to establish some mechanism that avoids programming automatic HTTP requests in functionalities that may involve a detriment to the service offered, it is recommended to encrypt the
information sent to the backend in order to avoid its manipulation, additionally, it is recommended the
validation of number of attempts from the backend or perform the block of the client IP, by number of failed login attempts.
Reference:
Brute Force Attack | OWASP Foundation
CVE/CWE/OTG: OTG-AUTHN-003
Release : 14.3, 14.4 - Virtual Appliance.
We recommend customer to upgrade Identity Portal version to the latest (14.4.2) and customer should consider leveraging (/enabling) CSRF (Cross Site Request Forgery), ReCaptcha and SSL capabilities.