spec checked
OWASP WSTG testing weak lockout mechanism
Documents account lockout as brute-force mitigation, the balance between account protection and legitimate access, unsuccessful attempt thresholds, lockout duration, self-service unlock, and administrator unlock paths.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Login | Choose login when the user has submitted credentials or an authenticator and the UI must show the result, next retry, lockout, or session-created state. | Submitting credentials enters one clear verifying state and prevents duplicate submissions until the login result returns. | OWASP WSTG supports testing lockout thresholds, unlock duration, self-service unlock, and administrator unlock paths. |
Evidence Role
This source is treated as spec evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: OWASP Web Security Testing Guide. Last checked: .