FS#40 : No Rate Limit On Reset Password in admin.alwaysdata.com

Status Closed
Assigned To

mdugue
Private

Attached to Project: Security vulnerabilities
Opened by monty099 - 23.03.2024
Last edited by mdugue - 27.03.2024

FS#40 - No Rate Limit On Reset Password in admin.alwaysdata.com

No Rate Limit On Reset Password in admin.alwaysdata.com

welcome all :
i found that no rate limit in reset password in ::: https://admin.alwaysdata.com/password/lost/ Summary:
No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees
A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
Steps To Reproduce The Issue
1- create account and go to reset password
2- intercept burp and send request to intruder
3- make payload and start attack

Impact
1- Attacker could use this vulnerability to bomb out the email inbox of the victim.
2- Attacker could send Spear-Phishing to the selected mail address.
3-Causing financial losses to the company

Closed by mdugue
27.03.2024 08:56
Reason for closing: Invalid

Comments (6)
Related Tasks (0/0)

monty099 commented on 26.03.2024 17:23

Hi team
Is there any update to this report?

mdugue commented on 27.03.2024 08:55

Hi,

Actually, we *do* have a rate limiter for those kind of requests. I don't know how you tested it, but your report states that you didn't reach that limit during your tests, and is therefore invalid.

Regards,

monty099 commented on 27.03.2024 12:38

Hi
Tell me how much the limit is because I reached more than 130 successful requests, the bugs bounty the bug is approved after you reach more than 100 successful requests.
I'm going to send a video explaining this, and I hope to reopen the report so that this information doesn't leak to the public.

monty099 commented on 27.03.2024 15:03

Hi,

[external link redacted]
[external link redacted]

These pictures show the success of the operation, and you can confirm by repeating the test

mdugue commented on 27.03.2024 15:22

Thanks for your screenshots.

Requests are limited to 10 per minute. According to our logs, your 130 requests ramped over 24 minutes. It's far from a DDoS attack nor a mailbox bombing (10 mails per minute can be at most annoying).

We confirm this report as invalid.

Best,

monty099 commented on 27.03.2024 16:35

=========~~10 mails per minute can be at most annoying)~~=========

Surely this is annoying
The number of messages that arrived was 230, not 130
This causes inconvenience to users and causes financial losses to the company

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task