{ "rule": { "id": "S045", "name": "Brute-force Protection", "description": "Implement protection against brute-force attacks on authentication endpoints. This rule detects missing rate limiting, account lockout mechanisms, and other brute-force protection measures in authentication flows.", "category": "security", "severity": "error", "languages": ["typescript", "javascript"], "frameworks": ["nestjs", "express", "node"], "version": "1.0.0", "status": "stable", "tags": ["security", "authentication", "brute-force", "rate-limiting", "owasp"], "references": [ "https://owasp.org/www-community/attacks/Brute_force_attack", "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", "https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks", "https://portswigger.net/web-security/authentication/password-based/brute-force" ] }, "configuration": { "enableRateLimitDetection": true, "enableAccountLockoutDetection": true, "enableCaptchaDetection": true, "checkAuthenticationEndpoints": [ "login", "signin", "authenticate", "auth", "password", "reset", "forgot" ], "rateLimitLibraries": [ "express-rate-limit", "express-slow-down", "@nestjs/throttler", "rate-limiter-flexible", "bottleneck", "limiter" ], "accountLockoutLibraries": [ "express-slow-down", "rate-limiter-flexible", "express-brute", "express-brute-mongo" ], "captchaLibraries": [ "recaptcha", "hcaptcha", "turnstile", "captcha" ], "vulnerablePatterns": [ "login.*without.*rate.*limit", "auth.*without.*throttle", "password.*without.*lockout", "signin.*without.*captcha" ], "protectionPatterns": [ "rate.*limit", "throttle", "lockout", "captcha", "brute.*force.*protection", "max.*attempts", "cooldown" ], "maxAttemptsThreshold": 5, "timeWindowMinutes": 15 }, "examples": { "violations": [ { "description": "Login endpoint without rate limiting", "code": "@Post('login')\nasync login(@Body() loginDto: LoginDto) {\n return this.authService.validateUser(loginDto);\n}" }, { "description": "Authentication without account lockout", "code": "app.post('/auth/login', (req, res) => {\n const { username, password } = req.body;\n // No rate limiting or lockout mechanism\n authenticateUser(username, password);\n});" }, { "description": "Password reset without protection", "code": "@Post('reset-password')\nasync resetPassword(@Body() resetDto: ResetPasswordDto) {\n // No rate limiting or captcha\n return this.authService.resetPassword(resetDto);\n}" } ], "fixes": [ { "description": "Login with rate limiting and account lockout", "code": "@Post('login')\n@Throttle(5, 60) // 5 attempts per minute\nasync login(@Body() loginDto: LoginDto) {\n return this.authService.validateUser(loginDto);\n}" }, { "description": "Express with rate limiting middleware", "code": "const rateLimit = require('express-rate-limit');\n\nconst loginLimiter = rateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 5, // limit each IP to 5 requests per windowMs\n message: 'Too many login attempts'\n});\n\napp.post('/auth/login', loginLimiter, (req, res) => {\n // authentication logic\n});" }, { "description": "NestJS with ThrottlerModule", "code": "@Module({\n imports: [\n ThrottlerModule.forRoot([{\n ttl: 60000,\n limit: 5,\n }]),\n ],\n})\nexport class AuthModule {}" } ] }, "testing": { "testCases": [ { "name": "login_without_rate_limit", "type": "violation", "description": "Login endpoint without rate limiting" }, { "name": "auth_without_throttle", "type": "violation", "description": "Authentication without throttling" }, { "name": "password_reset_unprotected", "type": "violation", "description": "Password reset without protection" }, { "name": "login_with_rate_limit", "type": "clean", "description": "Login with proper rate limiting" }, { "name": "auth_with_throttle", "type": "clean", "description": "Authentication with throttling" }, { "name": "password_reset_protected", "type": "clean", "description": "Password reset with protection" } ] }, "performance": { "complexity": "O(n)", "description": "Linear complexity based on number of authentication endpoints and middleware usage" } }