- Status Closed
-
Assigned To
cbay - Private
Opened by pentester - 20.11.2025
Last edited by cbay - 26.11.2025
FS#241 - no rate limit vulnerability
Hello Team,
My last bug on no rate limit was closed due to duplicat. Here i am sending you one more no rate limit vulnrability
vulnerability name : no rate limit vulnerability description : A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
## Description:-
I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email. vulnerable url : https://mailman.alwaysdata.com
step to reproduce : step1: intercept the forget password request on burpsuite step2: send it the reques in intruder and sequencer step3: add any path in intruder and select number payload and start attack or live capture on sequencer
Thank you
Screenshot (308).png
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
There are rate limits.
Also note that this endpoint is for mailing list administrators, not for alwaysdata accounts.
Kind regards,
Cyril
i have recieved 200 plus request on my mail
Your attack ran for 20 minutes and the rate limit is 20 per minute, so that's expected.