https://www.secdev.uk/blog/tags/cwe-307/ Recent content in CWE-307 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 26 Apr 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-04-26-authentication-failures/ Sat, 26 Apr 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-04-26-authentication-failures/ <p>Authentication is the front door of every application, and OWASP A07 documents how often that door is left unlocked. When I started digging into authentication failures, I realised they go far beyond weak passwords, they encompass hardcoded credentials compiled into binaries, brute-force attacks with no rate limiting, password hashes that can be reversed in seconds, and reset flows that hand tokens directly to attackers. These patterns show up in production regularly, sometimes in the same application. This post covers three CWEs across Python, Java, Go, and Rust: CWE-798 (Use of Hard-Coded Credentials), CWE-287 (Improper Authentication), and CWE-307 (Improper Restriction of Excessive Authentication Attempts).</p>