Security vulnerabilities

  • Status Closed
  • Assigned To
  • Private
Attached to Project: Security vulnerabilities
Opened by monty099 - 23.03.2024
Last edited by mdugue - 27.03.2024

FS#40 - No Rate Limit On Reset Password in

No Rate Limit On Reset Password in

welcome all :
i found that no rate limit in reset password in ::: Summary:
No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees
A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
Steps To Reproduce The Issue
1- create account and go to reset password
2- intercept burp and send request to intruder
3- make payload and start attack

1- Attacker could use this vulnerability to bomb out the email inbox of the victim.
2- Attacker could send Spear-Phishing to the selected mail address.
3-Causing financial losses to the company

Closed by  mdugue
27.03.2024 08:56
Reason for closing:  Invalid

Hi team
Is there any update to this report?



Actually, we *do* have a rate limiter for those kind of requests. I don't know how you tested it, but your report states that you didn't reach that limit during your tests, and is therefore invalid.


Tell me how much the limit is because I reached more than 130 successful requests, the bugs bounty the bug is approved after you reach more than 100 successful requests.
I'm going to send a video explaining this, and I hope to reopen the report so that this information doesn't leak to the public.


[external link redacted]
[external link redacted]

These pictures show the success of the operation, and you can confirm by repeating the test


Thanks for your screenshots.

Requests are limited to 10 per minute. According to our logs, your 130 requests ramped over 24 minutes. It's far from a DDoS attack nor a mailbox bombing (10 mails per minute can be at most annoying).

We confirm this report as invalid.


=========10 mails per minute can be at most annoying)=========

Surely this is annoying
The number of messages that arrived was 230, not 130
This causes inconvenience to users and causes financial losses to the company


Available keyboard shortcuts


Task Details

Task Editing