- Status Closed
-
Assigned To
cbay - Private
Opened by pentester - 16.11.2025
Last edited by cbay - 17.11.2025
FS#238 - no rate limit vulnerability means service lacks controls to restrict the number of requests
vulnerability name : no rate limit vulnerability description : A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests.
## Description:-
I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email. vulnerable url : https://admin.alwaysdata.com/password/lost/ step to reproduce : step1: intercept the forget password request on burpsuite step2: send it the reques in intruder and sequencer step3: add any path in intruder and select number payload and start attack or live capture on sequencer
bug.pdf
(1.71 MiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task