vulnerability lack of rate limiting
severity 3.7
language php
registry packagist


Encountered Lack of RateLimiting in the login page of userfrosting/UserFrosting repo.

Proof of Concept

  • clone the github repo and setup UserFrosting platform to reproduce the vulnerability
  • I used an intruder in BURP SUITE to test for rate limiting on the password field.
  • While rate limiting has not been triggered, then it shows 403 Forbidden error.If password matches BURP show a 200 OK.
  • [POC of request used] (
  • [POC of exploitation] (


The attacker is able to perform bruteforce attack to login into victim account.