All Projects

ID Status Summary Opened by
 89 Closed Vulnerability Report: Missing Rate Limiting on Password ...Zain721 Task Description

Hello Alwaysdata Security Team,

I hope this message finds you well.

I am reaching out as part of your Vulnerability Disclosure Program to report a potential security issue I found, titled "Lack of Rate Limiting on Password Reset Page".
===
Vulnerability Details:===

The password reset page (https://admin.alwaysdata.com/password/lost/) currently does not have rate limiting enabled, which allows repeated attempts without any restrictions.i send the request to Intruder and set my email and set payload around 80 times and the server give me the 80 linkes on my eamil (forgot password emial link)

Impact:

Without rate limiting, the password reset functionality is vulnerable to brute-force attacks. Attackers could repeatedly attempt to exploit this page, potentially compromising user accounts and exposing sensitive information.

Recommendation:

To mitigate this issue, I recommend implementing a rate limit on the password reset endpoint to restrict the number of requests allowed within a specific timeframe. Adding additional security layers, like CAPTCHA, after several failed attempts would further strengthen account security.

Thank you for reviewing this report. Please feel free to reach out if you need additional information.

kindly co-ordinate with me on this email,
zainulabideen78626@gmail.com

Best Regards,
Zain-Ul-Abideen

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Tasklist

Task Details

Task Editing