Lack of resources and rate limiting on Elenos Login leads to Brute-Force login credentials
Lack of resources and rate limiting is when the application does not restrict the number or frequency of requests from a particular client. So a client can make thousands or even more requests per second, or request hundreds or thousands of data records at once, and the application will still try to fulfill these requests. In some cases, the lack of resources and rate-limiting are not an issue. But sometimes, they could allow attackers to do something more. For example, in our case, we were able to brute force the admin/user password that is required to access the panel. This means if we were able to guess the right password, we were able to enter the application by brute forcing it.
if the attackers tries to enter any fake password during login he will get "Invalid username or password" response:
in order to simulate a real attacker brute-forcing the login panel we were able to send approximately 165 requests in which we attempted to brute force the password without getting blocked:
By observing the request status, attackers can make hundreds or even thousands of requests without being blocked in order to obtain the valid password. In the worst-case scenario, attackers could use this to cause a denial of service (DoS)

