FS#309 : Missing Rate Limiting & Lack of Access Control on /permissions/add/ allows Bulk User Addition / Priv

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by testing.com - 18.03.2026
Last edited by cbay - 18.03.2026

FS#309 - Missing Rate Limiting & Lack of Access Control on /permissions/add/ allows Bulk User Addition / Priv

Summary: The endpoint https://admin.alwaysdata.com/permissions/add/ is vulnerable to a complete lack of rate limiting and missing function-level access controls. An authenticated attacker can send hundreds of requests in a short time to add new users or grant permissions to existing users without any restriction (CAPTCHA, 429 status code, or account lockout). This was confirmed by receiving a "Profile initialization" email from Alwaysdata for the injected email address.

Steps to Reproduce: Log in to your Alwaysdata admin account.

Open Burp Suite (or any HTTP proxy) and intercept the request when adding a new user or permission via the /permissions/add/ endpoint.

Send this request to Intruder (or any automation tool).

Set a payload position on the email parameter (e.g., email=victim%2Bpayload@example.com).

Configure the payloads to generate 100 different email addresses (using %2B addressing or random strings).

Start the attack. Send all 100 requests without any delay.

Observe the responses.

Check your email inbox associated with the payload email addresses.

Proof of Concept : Intruder Results (Attached Image ): The attached screenshot shows that 100 requests were sent. All returned a 302 Found status code with identical response lengths. No rate limiting (e.g., 429 status) was observed.

Confirmation Email (Attached Image ): The second screenshot shows an email received from Alwaysdata titled "Profile initialization…" confirming that a new user/profile was created or permissions were granted due to the automated requests. This proves the vulnerability has a real impact.

Impact: An attacker can automate the creation of hundreds of user accounts or grant permissions to existing accounts.

This can lead to denial of service (filling the database), account takeover, and privilege escalation.

The lack of rate limiting makes it trivial to brute-force or enumerate valid user addition processes.

Suggested Fix:

Implement strict rate limiting on the /permissions/add/ endpoint (e.g., max 5 requests per minute per user/IP).

Implement CAPTCHA for sensitive actions like adding users.

Ensure proper function-level access control checks are performed for every request.

alwaysdata.PNG (60.4 KiB)

alwaysdata 2.PNG (63.2 KiB)

alwaysdata 3.PNG (19.6 KiB)

Closed by cbay
18.03.2026 13:53
Reason for closing: Invalid

Comments (1)
Related Tasks (0/0)

cbay commented on 18.03.2026 13:53

Hello,

There is a rate-limit, but higher than what you expect. Its only purpose is to protect our infrastructure, which is why it can be set quite high.

You can only send emails to different email addresses (whether they are aggregated to the same mailbox is out of our control), and you cannot insert anything in the message anyway, so it's rather pointless.

This can lead to denial of service (filling the database), account takeover, and privilege escalation.

Not true.

Kind regards,
Cyril

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task