FS#26 : #1 Crititical Vulnerability Name: No Rate Limit in adding Sites which consumes large amount of band

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by Fahimhusain Raydurg - 05.02.2024
Last edited by cbay - 06.02.2024

FS#26 - #1 Crititical Vulnerability Name: No Rate Limit in adding Sites which consumes large amount of band

Vulnerability Name: No Rate Limit in adding Sites

Impact:
- This may consume a large amount of bandwidth and, sometimes, require large amounts of storage space.

How to reproduce this issue:

1. Use Burp Suite and capture the Sites request.

2. Send the captured request to Intruder and select name position as shown in POC.

3. Set payloads to numbers and numbers will be from 1 to 40 (depending on your usage).

4. Observe that the status code is 302 means we can add an unlimited Sites.

Recommendation:
1. There should be some rate limit for Add Sites (Example: should not exceed more than 10 Sites)

2. Implement Captcha, the captcha should not be based on IP.

POC:
- Video file in below link.
- Link: https://www.mediafire.com/file/q9ir608diysdnhj/Always+Data+Poc-1.mp4/file https://mediafire.com/file/q9ir608diysdnhj/Always+Data+Poc-1.mp4/file

Closed by cbay
06.02.2024 12:53
Reason for closing: Invalid

Comments (3)
Related Tasks (0/0)

cbay commented on 05.02.2024 12:38

Hello,

There is a rate limit (i.e. a limit to the number of requests you can do in a single minute). The generated bandwidth you've generated is absolutely tiny.

Note that it's unrelated to the number of sites (or, in general, objects) you can have. It is unlimited by choice.

Kind regards,
Cyril

Fahimhusain Raydurg commented on 05.02.2024 12:43

Hello Cyril,

I would like to inquire about the limitations on the number of items that can be processed in a single minute. If I exceed this limit, will my report still be accepted?

Thank you for your clarification.

cbay commented on 05.02.2024 13:22

No as denial of service attacks are explicitely [excluded](https://help.alwaysdata.com/en/security/bug-bounty/#invalid-reports) from our bug bounty scope.

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task