{"@ID": "799", "@Name": "Improper Control of Interaction Frequency", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.", "Extended_Description": "This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "691", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}, {"@Class": "Web Based", "@Prevalence": "Undetermined"}, {"@Name": "Web Server", "@Prevalence": "Undetermined"}]}, "Alternate_Terms": {"Alternate_Term": [{"Term": "Insufficient anti-automation", "Description": "The term \"insufficient anti-automation\" focuses primarly on non-human actors such as viruses or bots, but the scope of this CWE entry is broader."}, {"Term": "Brute force", "Description": "Vulnerabilities that can be targeted using brute force attacks are often symptomatic of this weakness."}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Availability", "Access Control", "Other"], "Impact": ["DoS: Resource Consumption (Other)", "Bypass Protection Mechanism", "Other"]}}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "In the following code a username and password is read from a socket and an attempt is made to authenticate the username and password. The code will continuously checked the socket for a username and password until it has been authenticated.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "#text": "isValidUser = AuthenticateUser(username, password);"}, "#text": "if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {}"}, "#text": "if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {}"}}, "#text": "char username[USERNAME_SIZE];char password[PASSWORD_SIZE];\n                     while (isValidUser == 0) {}return(SUCCESS);"}}, {"@Nature": "Good", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "#text": "isValidUser = AuthenticateUser(username, password);"}, "#text": "if (getNextMessage(socket, password, PASSWORD_SIZE) > 0) {}"}, "xhtml:br": null, "#text": "if (getNextMessage(socket, username, USERNAME_SIZE) > 0) {}count++;"}}, {"@style": "margin-left:1em;", "#text": "return(SUCCESS);"}, {"@style": "margin-left:1em;", "#text": "return(FAIL);"}], "#text": "int count = 0;while ((isValidUser == 0) && (count < MAX_ATTEMPTS)) {}if (isValidUser) {}else {}"}}], "Body_Text": "This code does not place any restriction on the number of authentication attempts made. There should be a limit on the number of authentication attempts made to prevent brute force attacks as in the following example code."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2024-50653", "Description": "Chain: e-commerce product has a \"front-end restriction\" for coupon use (CWE-602), but the server does not restrict the number of requests for the same coupon (CWE-799)", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-50653"}, {"Reference": "CVE-2002-1876", "Description": "Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1876"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "WASC", "Entry_ID": "21", "Entry_Name": "Insufficient Anti-Automation"}}, "References": {"Reference": {"@External_Reference_ID": "REF-731"}}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2010-01-15", "Submission_Version": "1.8", "Submission_ReleaseDate": "2010-02-16", "Submission_Comment": "New entry to handle anti-automation as identified in WASC."}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Observed_Examples, Relationships"}]}}
