alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~309~~	Closed	~~Missing Rate Limiting & Lack of Access Control on /perm~~ ...	testing.com	Task Description Summary: The endpoint https://admin.alwaysdata.com/permissions/add/ is vulnerable to a complete lack of rate limiting and missing function-level access controls. An authenticated attacker can send hundreds of requests in a short time to add new users or grant permissions to existing users without any restriction (CAPTCHA, 429 status code, or account lockout). This was confirmed by receiving a "Profile initialization" email from Alwaysdata for the injected email address. Steps to Reproduce: Log in to your Alwaysdata admin account. Open Burp Suite (or any HTTP proxy) and intercept the request when adding a new user or permission via the /permissions/add/ endpoint. Send this request to Intruder (or any automation tool). Set a payload position on the email parameter (e.g., email=victim%2Bpayload@example.com). Configure the payloads to generate 100 different email addresses (using %2B addressing or random strings). Start the attack. Send all 100 requests without any delay. Observe the responses. Check your email inbox associated with the payload email addresses. Proof of Concept : Intruder Results (Attached Image ): The attached screenshot shows that 100 requests were sent. All returned a 302 Found status code with identical response lengths. No rate limiting (e.g., 429 status) was observed. Confirmation Email (Attached Image ): The second screenshot shows an email received from Alwaysdata titled "Profile initialization…" confirming that a new user/profile was created or permissions were granted due to the automated requests. This proves the vulnerability has a real impact. Impact: An attacker can automate the creation of hundreds of user accounts or grant permissions to existing accounts. This can lead to denial of service (filling the database), account takeover, and privilege escalation. The lack of rate limiting makes it trivial to brute-force or enumerate valid user addition processes. Suggested Fix: Implement strict rate limiting on the /permissions/add/ endpoint (e.g., max 5 requests per minute per user/IP). Implement CAPTCHA for sensitive actions like adding users. Ensure proper function-level access control checks are performed for every request.

~~309~~

Closed

~~Missing Rate Limiting & Lack of Access Control on /perm~~ ...

Task Description

Summary: The endpoint https://admin.alwaysdata.com/permissions/add/ is vulnerable to a complete lack of rate limiting and missing function-level access controls. An authenticated attacker can send hundreds of requests in a short time to add new users or grant permissions to existing users without any restriction (CAPTCHA, 429 status code, or account lockout). This was confirmed by receiving a "Profile initialization" email from Alwaysdata for the injected email address.

Steps to Reproduce: Log in to your Alwaysdata admin account.

Open Burp Suite (or any HTTP proxy) and intercept the request when adding a new user or permission via the /permissions/add/ endpoint.

Send this request to Intruder (or any automation tool).

Set a payload position on the email parameter (e.g., email=victim%2Bpayload@example.com).

Configure the payloads to generate 100 different email addresses (using %2B addressing or random strings).

Start the attack. Send all 100 requests without any delay.

Observe the responses.

Check your email inbox associated with the payload email addresses.

Proof of Concept : Intruder Results (Attached Image ): The attached screenshot shows that 100 requests were sent. All returned a 302 Found status code with identical response lengths. No rate limiting (e.g., 429 status) was observed.

Confirmation Email (Attached Image ): The second screenshot shows an email received from Alwaysdata titled "Profile initialization…" confirming that a new user/profile was created or permissions were granted due to the automated requests. This proves the vulnerability has a real impact.

Impact: An attacker can automate the creation of hundreds of user accounts or grant permissions to existing accounts.

This can lead to denial of service (filling the database), account takeover, and privilege escalation.

The lack of rate limiting makes it trivial to brute-force or enumerate valid user addition processes.

Suggested Fix:

Implement strict rate limiting on the /permissions/add/ endpoint (e.g., max 5 requests per minute per user/IP).

Implement CAPTCHA for sensitive actions like adding users.

Ensure proper function-level access control checks are performed for every request.

Showing tasks 1 - 1 of 1 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing