Session Stored Lockout Counter Abuse
Variants:
Direct
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Account Lockout, Anti-Automation, Session Management, Secure Design
Invented In:
01/01/1999
Added In:
19/12/2014
Vector Operation Method:
Attackers performing credential brute force attacks on specific accounts can replace session identifiers after a number of attempts which is smaller than the number triggering the account lockout, due to a programming flaw that stores the login failure counters in a non-persistent location.
