Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by Zain721 - 25.10.2024
Last edited by cbay - 28.10.2024

FS#89 - Vulnerability Report: Missing Rate Limiting on Password Reset Page (Potential Brute-force Exposure)

Hello Alwaysdata Security Team,

I hope this message finds you well.

I am reaching out as part of your Vulnerability Disclosure Program to report a potential security issue I found, titled "Lack of Rate Limiting on Password Reset Page".
===
Vulnerability Details:===

The password reset page (https://admin.alwaysdata.com/password/lost/) currently does not have rate limiting enabled, which allows repeated attempts without any restrictions.i send the request to Intruder and set my email and set payload around 80 times and the server give me the 80 linkes on my eamil (forgot password emial link)

Impact:

Without rate limiting, the password reset functionality is vulnerable to brute-force attacks. Attackers could repeatedly attempt to exploit this page, potentially compromising user accounts and exposing sensitive information.

Recommendation:

To mitigate this issue, I recommend implementing a rate limit on the password reset endpoint to restrict the number of requests allowed within a specific timeframe. Adding additional security layers, like CAPTCHA, after several failed attempts would further strengthen account security.

Thank you for reviewing this report. Please feel free to reach out if you need additional information.

kindly co-ordinate with me on this email,
zainulabideen78626@gmail.com

Best Regards,
Zain-Ul-Abideen

Closed by  cbay
28.10.2024 08:36
Reason for closing:  Invalid

Kindly contact me through me email because i cant frequently see this poratl
zainulabideen78626@gmail.com

Admin
cbay commented on 25.10.2024 11:44

Hello,

I don't see how sending many password reset emails would help an attacker gain access to anything. You didn't explain at all.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing