bug-bounty Rate Limit vulnerability

Rate limit vulnerability in a login form may lead to ATO (Account Take Over)

Hi , every one i wish you with good health let’s start .

this is my first bug in bug bounty platforms that has been exist in login form in a url like this https://xyz/forgot-password

first step i do is to enumerate all sub domain using tools for it like subenum tool

then i get all this subdomain in a file and run httpx tool on it to filter subdomains to get the live one with response code 200 .

then i get the vulnerable page with this response code 200 so i get the link and visit it i get a login page to enter to this page so i get the request in burpsuite and start to check if the server allow multiple requests without rate limit verification

then i start to send the response to burp intruder and start to brute force on the forget password request sent with verification code to the target mail for 1000 request and i found that the server doesn’t block me or any action for this requests and the response back with the “verification code has been sent to this account” so directly go and do the same for the login page it self with any mail the server do the same thing so i know that there is no Rate Limit validation on this form that may lead to an attacker to brute force the password of any user exist on the server .

The application does not enforce proper rate limiting on the [login/password reset/OTP verification] endpoint. This allows an attacker to send a large number of requests in a short time period, potentially enabling brute force attacks or account enumeration.

Without rate limiting, an attacker can repeatedly attempt to guess valid user credentials, OTPs, or other sensitive data, significantly increasing the chances of successfully compromising an account. This vulnerability is particularly concerning as it may lead to account takeover, data exposure, or service abuse.

thanks for reading , Good Luck .

Contact Me : Linkedin