|
Task Description
Hi my name is Rehan and I discovered that the login endpoint at https://admin.alwaysdata.com/login/?next=/ doesn't have any sort of rate limiting in place.
This leads to account takeover of any user. You just have to know his/her email. That's the only prerequisite.
What I did:
1. I sent 50 login requests using intruder.
2. Set the intruder with fake 49 passwords and 50th being the correct password.
3. All requests go through without any error like too many requests, IP block or even temporary account lockout.
4. All 49 requests were processed with 200 OK implying that the password is wrong. However the 50th request gives a 302 error confirming the correct password.
IMPACT:
Account takeover:
This will give an attacker a way to send lot of requests and ultimately takeover the victim account when the response shows a 302 redirection.
I have read your stance on absence of rate limit on password reset endpoints as i read the tasklist. I know email flooding isn't really a big of a problem. However, I'm sending you this report because having no rate limit on login endpoint doesn't seem all too well. This is because having no rate limit on login leads to account takeover of any user.
It's not about flooding someone's inbox but actually taking over someone else's account. I hope you get my point here.
Recommendation:
1. Implement rate limiting after certain number of attempts. Give the user some time to try again like after 5 minutes.
2. Block the IP from sending more requests and send an automated message to victim informing him of login attempts.
|
