Probabilistic Techniques
Lack of protection against brute force attacks - Credentials
Description The application has no protection against automated attacks to guess valid promotional codes. Impact Increase the chances of getting valid credentials. Recommendation Implement a control to prevent this type of attack and to ensure that ...
Weak credential policy - Password Change Limit
Description The application does not limit the number of password change requests that can be made in a day. Impact Change the password multiple times in a short period of time, denying access to the original user. Recommendation Implement a ...
Weak credential policy - Password Expiration
Description The AWS IAM (Identity and Access Management) policy has the Enable password expiration flag set to disable, good security practices suggest that credentials should be renewed in 90 day periods. Impact Leak of credentials that can be used ...
Lack of protection against brute force attacks
Description The system does not have appropriate protection mechanisms against automated attacks designed to guess credentials. Impact Obtain the passwords of the application users. Recommendation Implement a control to avoid this type of attacks and ...
Guessed weak credentials
Description The system credentials low complexity considerably reduces the amount of time required to guess them. This allows an attacker to have quicker success when executing a brute force attack. Impact Obtain functional credentials for resources ...
Enabled default credentials
Description It is possible to use low-strength, default credentials to access system resources, such as the database. Impact Obtain unauthorized access to resources or services with public credentials Recommendation Eliminate the credentials from the ...
Weak credential policy
Description The systems credential policy is not compliant with security regulations. Impact Increase the chances of getting valid credentials using brute force or dictionary attacks. Recommendation Establish a policy for creation of credentials that ...
Insecure generation of random numbers
Description The system uses insecure functions, insufficient ranges or low-entropy components to generate random numbers. This could allow an attacker to guess the generation sequence after a short time or predict results using probabilistic methods. ...