alwaysdata All Projects: Tasklist

ID	Status	Summary	Opened by
~~252~~	Closed	~~open redirection~~	pentester	Task Description vulnerability name : open redirection url: https://admin.alwaysdata.com/login/?next=%2f step to reproduced: 1.intercept the url 2.enter bing.com in the parameter 3. on location you see that response will shown on location bing.com for furthur info please see the screenshot Thank you Anant
~~243~~	Closed	~~Csrf where token is not tied to user session~~	pentester	Task Description vulnerability name : csrf where attacker can use unused token to access victim account description: attacker can use same csrf token to login into an account that might take account takeover vulnerability step to reproduced: 1.make two account with different email 2.intercept one mail account and copy its csrf token and drop the response 3. change that token with another account and login with 2nd account for furthur info please see the poc Thank you Anant
~~241~~	Closed	~~no rate limit vulnerability~~	pentester	Task Description Hello Team, My last bug on no rate limit was closed due to duplicat. Here i am sending you one more no rate limit vulnrability vulnerability name : no rate limit vulnerability description : A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. ## Description:- I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email. vulnerable url : https://mailman.alwaysdata.com step to reproduce : step1: intercept the forget password request on burpsuite step2: send it the reques in intruder and sequencer step3: add any path in intruder and select number payload and start attack or live capture on sequencer Thank you
~~238~~	Closed	~~no rate limit vulnerability means service lacks control~~ ...	pentester	Task Description vulnerability name : no rate limit vulnerability description : A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests. ## Description:- I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email. vulnerable url : https://admin.alwaysdata.com/password/lost/ step to reproduce : step1: intercept the forget password request on burpsuite step2: send it the reques in intruder and sequencer step3: add any path in intruder and select number payload and start attack or live capture on sequencer

~~252~~

Closed

~~open redirection~~

Task Description

vulnerability name : open redirection

url: https://admin.alwaysdata.com/login/?next=%2f

step to reproduced:
1.intercept the url
2.enter bing.com in the parameter
3. on location you see that response will shown on location bing.com

for furthur info please see the screenshot

Thank you
Anant

~~243~~

Closed

~~Csrf where token is not tied to user session~~

pentester

Task Description

vulnerability name : csrf where attacker can use unused token to access victim account

description: attacker can use same csrf token to login into an account that might take account takeover vulnerability

step to reproduced:
1.make two account with different email
2.intercept one mail account and copy its csrf token and drop the response
3. change that token with another account and login with 2nd account

for furthur info please see the poc

Thank you
Anant

~~241~~

Closed

~~no rate limit vulnerability~~

pentester

Task Description

Hello Team,

My last bug on no rate limit was closed due to duplicat. Here i am sending you one more no rate limit vulnrability

vulnerability name : no rate limit vulnerability description : A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.

## Description:-
I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email. vulnerable url : https://mailman.alwaysdata.com

step to reproduce : step1: intercept the forget password request on burpsuite step2: send it the reques in intruder and sequencer step3: add any path in intruder and select number payload and start attack or live capture on sequencer

Thank you

~~238~~

Closed

~~no rate limit vulnerability means service lacks control~~ ...

pentester

Task Description

vulnerability name : no rate limit vulnerability description : A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests.
## Description:-
I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email. vulnerable url : https://admin.alwaysdata.com/password/lost/ step to reproduce : step1: intercept the forget password request on burpsuite step2: send it the reques in intruder and sequencer step3: add any path in intruder and select number payload and start attack or live capture on sequencer

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing