Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Insufficient Anti-Automation
Abstract
Failure to detect and block automated attacks can enable an attacker to conduct brute force attacks or trigger denial of service conditions.
Explanation
All web forms in the application must be protected against automated submissions. An attacker can automatically submit fill and submit registration forms to create fake accounts or overwhelm the database. Contact and messaging forms that do not prevent automated form submissions can be used to spam the application administrators or users. Automated password cracking programs can target login forms with ineffective anti-automation mechanisms. Programmers must always assume that all user interfaces will be abused by attackers in order to find weaknesses.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 799
[2] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.1 General Authenticator Requirements (L1 L2 L3)
[3] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Anti-automation (WASC-21)
desc.dynamic.xtended_preview.insufficient_anti_automation