- Status Closed
-
Assigned To
cbay - Private
Opened by Zain721 - 25.10.2024
Last edited by cbay - 28.10.2024
FS#89 - Vulnerability Report: Missing Rate Limiting on Password Reset Page (Potential Brute-force Exposure)
Hello Alwaysdata Security Team,
I hope this message finds you well.
I am reaching out as part of your Vulnerability Disclosure Program to report a potential security issue I found, titled "Lack of Rate Limiting on Password Reset Page".
===
Vulnerability Details:===
The password reset page (https://admin.alwaysdata.com/password/lost/) currently does not have rate limiting enabled, which allows repeated attempts without any restrictions.i send the request to Intruder and set my email and set payload around 80 times and the server give me the 80 linkes on my eamil (forgot password emial link)
Impact:
Without rate limiting, the password reset functionality is vulnerable to brute-force attacks. Attackers could repeatedly attempt to exploit this page, potentially compromising user accounts and exposing sensitive information.
Recommendation:
To mitigate this issue, I recommend implementing a rate limit on the password reset endpoint to restrict the number of requests allowed within a specific timeframe. Adding additional security layers, like CAPTCHA, after several failed attempts would further strengthen account security.
Thank you for reviewing this report. Please feel free to reach out if you need additional information.
kindly co-ordinate with me on this email,
zainulabideen78626@gmail.com
Best Regards,
Zain-Ul-Abideen
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Kindly contact me through me email because i cant frequently see this poratl
zainulabideen78626@gmail.com
Hello,
I don't see how sending many password reset emails would help an attacker gain access to anything. You didn't explain at all.
Kind regards,
Cyril