No Rate Limit for Forgot Password

1 week ago 12

On India’s famous e-commerce website


Firstly what is No Rate limit for Forgot Password?

No rate limit on forgot password means that there is no mechanism to prevent you from making a request in a short period of time. This can be used to send an unlimited number of forgot password requests to any random email that is registered on the website.

It was a sunny Sunday. I was testing on India’s famous e-commerce website. As is it a private program let’s call it I started digging subdomains with the tools Subfinder, Amass, and ffuf (ffuf — faster you fool 😂) and filtered active subdomains using the httpx tool.

I started looking into subdomains, one subdomain caught my eye let’s say that, site has email and password slots to log in, there is a forgot password option right down!


Then I fired up Burp Suite and started capturing the requests.

I clicked on forgot password and entered an email, for example:, and clicked on submit!

Burp Suite popped up and I saw within the request then I sent it to the repeater

"email": ""

In repeater, I tampered email to

"email": ""

Boom!!!! I got the JSON with a success message.

"status": "SUCCESS"
"statusMessage": "Password change linkt send to "

then I sent the request to the intruder and sent the request 50 times and received all 200 ok messages with the SUCCESS messages in JSON

But I skipped reporting for some time. Started writing the report after a few hours when I started recording the POC the email was deleted from the database

"statusMessage":"Invalid client Id"

My bad 😓

peeling sad
Read Entire Article