- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by bugbounty - 06.09.2025
Last edited by cbay - 08.09.2025
Opened by bugbounty - 06.09.2025
Last edited by cbay - 08.09.2025
FS#209 - Ineffective Rate Limiting on Login Endpoint Allowing Excessive Invalid Attempts
Description The login endpoint implements rate limiting to prevent abuse, but it appears ineffective . Sending 100+ requests with null/empty payloads via Burp Intruder results in consistent 200 OK responses without triggering 429 . A correct password yields 302 (redirect, indicating success).
Affected Asset:https://admin.alwaysdata.com/login
Steps to Reproduce
1.Navigate to the login page (https://admin.alwaysdata.com/login).
2.Use Burp Suite Intruder to send 100+ requests with null/empty payloads
3.Observe 200 OK responses for all, no 429.
4.Test a valid credential: Receives 302.
Impact
Allows potential brute-force on passwords without reliable blocking.
Minor resource consumption from repeated requests.
Screen Recording 2025-09-06 1...
(11.22 MiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Even it Gives 429 in Repeater, after sending another request it gives 200 again