No Rate Limiting on Form (Registration, Login, Email Triggering, SMS-Triggering)

Vulnerability Category: A6- Security Misconfiguration

Vulnerability Description: This vulnerability leads to user enumeration when an attacker trying to brute-force of email accounts on registration page. In the login page attacker tries to brute-force the user credentials. When an user wants to reset his password and there is no rate limiting on the function, an attacker can take this as advantage and perform email flooding on user’s email account.

Impact: This vulnerability lead to user enumeration and attacker can perform flooding attacks using email service and SMS service

Recommendation: To mitigate this issue developers should implement an timeout after a number of requests in a period of time or implement CAPTCHA mechanism on the form pages

Severity : Medium

CVSS v3.0 Score: 5.8

CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

How to Test:

1) Intercpet the login request and send it to intruder and perform different attack payloads on the request

2) Intercept the registration page and send it to the intruder , in the email field place all the emails and check for the response of those requests

3) Intercept the password change functionality and send it to the repeater and click “Go” multiple time and check emails for the password change came multiple times

Tools to Use:

1)Browser

2)Burp Suite (Intruder and Repeater)

Note: If i wrote any mistakes in my posts please notify me I will rectify and learn more about it