outsystems lock against brute force attack

I want to start a discussion on out systems lockout against brute force attacks

Can anybody help me un understanding the out systems lockout against brute force attacks

Actually, while testing we noticed that the error message for the 1st and 2nd back off is only displayed after the next login attempt (i.e. if the value of the site property "MaxUsernameAttemptsFirstBackoff" is "3", then we expected the error message to be displayed directly after the 3rd failed login attempt, but in practice it is displayed after the 3rd login attempt, thus the 4th attempt).

I need to understand how this error messages are handled


Sundeep

mvp_badge
MVP

Hi,

This is the official document from OutSystems on how brute force attacks are handled:

https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Protection_against_Brute_Force_Attacks

Regards,

Daniel

mvp_badge
MVP

Hi Sundeep,


In addition to what Dani¨el mentioned, you can clone the Users module and check the code by yourself:


1. Locate a reference to the Users module and "Open Users module" and confirmed when asked if you want to have a clone;


2. Open the action IPAddress_GetBlocks and there you have the code or just see where the site properties are being used:



Kind Regards,
João

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.