alwaysdata All Projects: Tasklist

ID	Status	Summary	Opened by
~~231~~	Closed	~~Bug Bounty Report: No IP, Geo, or Device Context Bindin~~ ...	nhlimon	Task Description Summary: The session management does not include any IP address, geolocation, or device fingerprinting checks. Once a session token is obtained, it can be replayed from any device, browser, or country, allowing attackers to bypass contextual integrity checks and maintain unauthorized access. Steps to Reproduce: Log in to alwaysdata.com and capture the session token (e.g., via browser DevTools or proxy). Move to a different device, browser, or VPN geolocation. Replay the captured token (e.g., by importing cookies or using the token in API headers). 🎯 Result: The session remains valid — no reauthentication, MFA challenge, or warning is triggered. Impact: Allows session hijack from another country or device without detection. No context-aware defense such as: IP or ASN consistency checks Browser/device fingerprinting Geo-velocity anomaly detection Supports stealthy unauthorized access, even if login alerts or 2FA are present.
~~229~~	Closed	~~Bug Bounty Report: Improper Restriction On Password Fun~~ ...	nhlimon	Task Description Summary: The application allows users to reuse their existing password when performing a password change or password reset. This undermines the security intent of these features, as users can bypass the enforcement of setting a new, stronger, and unique credential. Allowing password reuse increases the risk of account takeover, brute-force persistence, and failure to comply with security best practices (such as NIST SP 800-63B and OWASP ASVS), which explicitly recommend preventing the reuse of the same password. Steps to Reproduce: Log in to the alwaysdata.com application using valid credentials. Navigate to the Change Password or Password Reset functionality. Enter the current password in both the "Old Password" and "New Password" fields (or set the reset password to the same as the old one). Observe that the operation succeeds, and the password remains unchanged. Impact: Defeats the purpose of password change/reset: attackers with leaked or compromised credentials can maintain persistence by resetting to the same password. Increases susceptibility to brute force and credential stuffing, since the password remains weak or already compromised. Violates industry-standard best practices for credential management (OWASP, NIST). Reduces the effectiveness of incident response: if credentials are suspected to be exposed, forcing a reset but allowing reuse leaves accounts vulnerable. Security Best Practices Reference: NIST SP 800-63B: Recommends preventing password reuse and enforcing that new credentials differ from previously used ones. OWASP ASVS 2.1.8: Applications should prevent the use of the same value as the current password when changing or resetting credentials. Recommendation: Implement a password history check to ensure that newly set passwords are different from the current one. Enforce a configurable password history (e.g., last 3–5 passwords cannot be reused). Provide appropriate user feedback when the entered password matches the old one. Severity: High – This is a critical flaw because it undermines a fundamental security control designed to mitigate account compromise.
~~228~~	Closed	~~Bug Bounty Report: Rate Limit Bypass via IP Rotation, V~~ ...	nhlimon	Task Description Summary The application applies rate limiting on failed login attempts per IP address, but does not combine this with account- or device-based throttling. An attacker can rotate IP addresses (using VPNs, proxies, or botnets) and continue brute-force or credential stuffing attempts against the same account, effectively bypassing the rate limit. This allows high-volume automated attacks that can lead to account takeover, credential stuffing success, and large-scale account enumeration. Steps to Reproduce In the alwaysdata.com application, choose a target account (e.g., victim@example.com). From IP A, submit the maximum allowed failed login attempts until the application rate-limits further attempts from IP A. Record the response/status code. Switch to IP B (use VPN, proxy, or other IP rotation technique). Attempt to authenticate to the same target account using different password guesses. Observe that attempts from IP B are accepted and counted separately (rate limit not enforced per account). Repeat with IP C, IP D, etc., and observe continued unrestricted attempts against the same account. (Optional) Automate steps 2–4 from a list of rotating IPs to confirm large-scale brute-force is possible. Expected secure behavior: The system should limit authentication attempts per account (or per account+device fingerprint) in addition to per-IP limits. Observed insecure behavior: Authentication attempts continue after IP rotation; rate limiting is effectively bypassed. Impact Account Takeover (High): Continuous attempts across rotated IPs increase the probability of successfully brute-forcing a password or succeeding with credential stuffing. Mass Credential Stuffing (High → Critical): Attackers can target many accounts at scale by cycling IPs, causing large-scale account compromise. Recommended Fixes Enforce account-based throttling (primary) Track failed authentication attempts per account (email/username) and apply progressive throttling or temporary lockouts. Example policy: after 5 failed attempts for an account within 15 minutes, block further attempts for that account for 15 minutes. Combine IP + account limits (defense-in-depth) Use a hybrid key: limit_key = hash(account_id + ip) plus a separate limit_key = account_id. This reduces false positives while preventing IP-rotated attacks.

~~231~~

Closed

~~Bug Bounty Report: No IP, Geo, or Device Context Bindin~~ ...

Task Description

Summary:
The session management does not include any IP address, geolocation, or device fingerprinting checks. Once a session token is obtained, it can be replayed from any device, browser, or country, allowing attackers to bypass contextual integrity checks and maintain unauthorized access.

Steps to Reproduce:
Log in to alwaysdata.com and capture the session token (e.g., via browser DevTools or proxy).

Move to a different device, browser, or VPN geolocation.

Replay the captured token (e.g., by importing cookies or using the token in API headers).

🎯 Result: The session remains valid — no reauthentication, MFA challenge, or warning is triggered.

Impact:
Allows session hijack from another country or device without detection.

No context-aware defense such as:

IP or ASN consistency checks

Browser/device fingerprinting

Geo-velocity anomaly detection

Supports stealthy unauthorized access, even if login alerts or 2FA are present.

~~229~~

Closed

~~Bug Bounty Report: Improper Restriction On Password Fun~~ ...

nhlimon

Task Description

Summary:
The application allows users to reuse their existing password when performing a password change or password reset. This undermines the security intent of these features, as users can bypass the enforcement of setting a new, stronger, and unique credential. Allowing password reuse increases the risk of account takeover, brute-force persistence, and failure to comply with security best practices (such as NIST SP 800-63B and OWASP ASVS), which explicitly recommend preventing the reuse of the same password.

Steps to Reproduce:

Navigate to the Change Password or Password Reset functionality.

Enter the current password in both the "Old Password" and "New Password" fields (or set the reset password to the same as the old one).

Observe that the operation succeeds, and the password remains unchanged.

Impact:

Defeats the purpose of password change/reset: attackers with leaked or compromised credentials can maintain persistence by resetting to the same password.

Increases susceptibility to brute force and credential stuffing, since the password remains weak or already compromised.

Violates industry-standard best practices for credential management (OWASP, NIST).

Reduces the effectiveness of incident response: if credentials are suspected to be exposed, forcing a reset but allowing reuse leaves accounts vulnerable.

Security Best Practices Reference:

NIST SP 800-63B: Recommends preventing password reuse and enforcing that new credentials differ from previously used ones.

OWASP ASVS 2.1.8: Applications should prevent the use of the same value as the current password when changing or resetting credentials.

Recommendation:

Implement a password history check to ensure that newly set passwords are different from the current one.

Enforce a configurable password history (e.g., last 3–5 passwords cannot be reused).

Provide appropriate user feedback when the entered password matches the old one.

Severity: High – This is a critical flaw because it undermines a fundamental security control designed to mitigate account compromise.

~~228~~

Closed

~~Bug Bounty Report: Rate Limit Bypass via IP Rotation, V~~ ...

nhlimon

Task Description

Summary
The application applies rate limiting on failed login attempts per IP address, but does not combine this with account- or device-based throttling. An attacker can rotate IP addresses (using VPNs, proxies, or botnets) and continue brute-force or credential stuffing attempts against the same account, effectively bypassing the rate limit. This allows high-volume automated attacks that can lead to account takeover, credential stuffing success, and large-scale account enumeration.

Steps to Reproduce
In the alwaysdata.com application, choose a target account (e.g., victim@example.com).

From IP A, submit the maximum allowed failed login attempts until the application rate-limits further attempts from IP A. Record the response/status code.

Switch to IP B (use VPN, proxy, or other IP rotation technique).

Attempt to authenticate to the same target account using different password guesses. Observe that attempts from IP B are accepted and counted separately (rate limit not enforced per account).

Repeat with IP C, IP D, etc., and observe continued unrestricted attempts against the same account.

(Optional) Automate steps 2–4 from a list of rotating IPs to confirm large-scale brute-force is possible.

Expected secure behavior: The system should limit authentication attempts per account (or per account+device fingerprint) in addition to per-IP limits.
Observed insecure behavior: Authentication attempts continue after IP rotation; rate limiting is effectively bypassed.

Impact
Account Takeover (High): Continuous attempts across rotated IPs increase the probability of successfully brute-forcing a password or succeeding with credential stuffing.

Mass Credential Stuffing (High → Critical): Attackers can target many accounts at scale by cycling IPs, causing large-scale account compromise.

Recommended Fixes
Enforce account-based throttling (primary)

Track failed authentication attempts per account (email/username) and apply progressive throttling or temporary lockouts. Example policy: after 5 failed attempts for an account within 15 minutes, block further attempts for that account for 15 minutes.

Combine IP + account limits (defense-in-depth)

Use a hybrid key: limit_key = hash(account_id + ip) plus a separate limit_key = account_id. This reduces false positives while preventing IP-rotated attacks.

Showing tasks 1 - 3 of 3 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing