Missing rate limit on login function
Hi,
Login functionality can be brute forced due to lack of captcha or rate limit.
1/ Visit https://xxx.xxxxxxxxxxxx.xxx
2/ Enter bad credentials
3/ Intercept the request with a proxy tool like Burp Suite
4/ Replay the request, again and again
{}
The functionality can be used to brute force any user account.
- limit the functionality to x attempts in a predefined period before blocking the account
- set up a captcha to prevent robots.
Best regards,
Gwen