The Lockout security flaw is common in web services. While being less public than web pages, web services do not have basic security measurements configured correctly. By handling it, you will provide your service with good protection.
To make sure your service behaves properly on login lockouts, create a loop with a login request that automatically updates the incorrect password. If the service is not locked after a certain number of attempts, then there is a potential security risk.
-
First request:
<login>
<username>smartbear</username>
<password>yesitdoes!1</password>
</login> -
Second request:
<login>
<username>smartbear</username>
<password>yesitdoes!2</password>
</login>
To ensure the lockouts help protect your service from unwanted logins, try to enable the 6-24 hour lockout after three failed attempts, and double the lockout time for each unsuccessful one. This will make the attempts to reach your service automatically completely inefficient.