No Rate Limiting on Password Reset Link - NRLP(email) - Tutorial Boy -->

No Rate Limiting on Password Reset Link - NRLP(email)

 Hi team,

I found there is no rate limiting on the reset password link

Description:

Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network. If the number of requests you make exceeds that limit, then an error will be triggered. The reasoning behind implementing rate limits is to allow for a better flow of data and to increase security by mitigating attacks such as DDoS.

Replication Steps:

Steps to perform this attack are:

  1. Click on forgot password
  2. Enter email and intercept that request.
  3. Send to an intruder and select ‘your email' parameter as an injection point!
  4. Paste your email in the payload list 100 times.
  5. Start attack and you will be receiving 100 emails

Kindly ask if you need more information or a video Poc

Impact:

This will lead to mass mailing to the targeted user, which will degrade the reputation of your company.

Thank You