- Status Closed
-
Assigned To
cbay - Private
Opened by waloodi_109 - 27.11.2024
Last edited by cbay - 27.11.2024
FS#111 - Missing rate limit for current password field (Password Change) Account Takeover
Missing rate limit for current password field (Password Change) Account Takeover:
Vulnerability:
Missing Rate Limit for Current Password field (Password Change) Account Takeover
Steps to reproduce the bug:
1)Go to Profile > Password. Enter any (wrong password) In old password filed.
2)Now enter the new password and Turn the Intercept ON.
3)Capture the request & Send the request to Intruder and add a Payload Marker on the current password value.
4)Add the payload for the password field having a list of more than 100 password or more for test and start attack.
BOOM!
Screen shot is attached as a proof of concept.
Impact
There is no rate limit enabled for "Current Password" field on changing password on your website. A malicious minded user can continually tries to brute force an account password. If user forget to logout account in some public computer then attacker is able to know the correct password, and also able to change the password to new one by inputting large number of payloads.
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
There is a rate limit. Besides, brute forcing an account that you're already connected to is rather useless.
Please note that brute force attacks are also explicitely invalid in our bug bounty program.
Kind regards,
Cyril