No rate limiting on creating access token in ikus060/rdiffweb


Reported on

Sep 19th 2023

  1. Description: Access token creation is a critical security component in many applications, especially when it comes to user authentication and authorization. Without proper rate limiting controls, attackers may exploit this process to launch various types of attacks, such as brute force attacks, credential stuffing attacks, or denial of service (DoS) attacks. This report highlights the vulnerability arising from the absence of rate limiting mechanisms during access token creation.

Steps: Login to Go to user profile Intercept token name request and run the intruder for 200 payloads it will create access tokens for all without any limit

  1. Remediation: To mitigate the risks associated with the lack of rate limiting in access token creation, follow these remediation steps:

    a. Implement Rate Limiting: Introduce rate limiting mechanisms to restrict the number of access token creation attempts within a defined time frame. This will deter brute force and DoS attacks.

    b. Use Strong Authentication: Implement strong user authentication mechanisms, including multi-factor authentication (MFA), to make it harder for attackers to guess or use stolen credentials.

    c. Monitoring and Logging: Implement comprehensive monitoring and logging to detect and respond to unusual access token creation patterns or suspicious activities.

    d. Fail2Ban or IP Whitelisting: Implement tools like Fail2Ban or IP whitelisting to block IP addresses after a certain number of failed access token creation attempts.

    e. Error Messages: Avoid providing specific error messages during access token creation, which can reveal information that could aid attackers.

    f. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the access token creation process.

    g. Security Awareness: Train developers and administrators on best practices for securing access token creation and the importance of rate limiting.

  2. Conclusion: The absence of rate limiting in access token creation can expose your application to a range of security risks, including unauthorized access and denial of service attacks. By implementing rate limiting and following the remediation steps outlined in this report, you can significantly enhance the security of your application and protect sensitive user data. Remember that security is an ongoing process, and regular audits and updates are essential to maintaining a robust security posture.


  1. Impact: The absence of rate limiting in access token creation can have several detrimental effects on the security and availability of an application:

    a. Brute Force Attacks: Attackers can launch brute force attacks to guess access tokens, potentially gaining unauthorized access to user accounts, sensitive data, or system resources.

    b. Credential Stuffing: Malicious actors can use stolen credentials from other breaches to repeatedly attempt access token creation, compromising the security of user accounts.

    c. Denial of Service (DoS): In the absence of rate limiting, an attacker can flood the authentication and authorization systems with a large number of requests, overloading the servers and causing system downtime.

    d. Resource Exhaustion: Uncontrolled access token creation can exhaust server resources, leading to degraded performance and potentially crashing the application.

    e. Data Breach: If successful, unauthorized access through this vulnerability can result in data breaches, leakage of sensitive information, and potential legal and reputational consequences for the organization.

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 3 months ago
3 months ago



We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 3 months ago
ikus060/rdiffweb maintainer has acknowledged this report 3 months ago
Patrik Dufresne
2 months ago


@pullakarthiksrivastav Thanks for the report. Do you have a email or a profile page so I give you credit in the README file ?

Patrik Dufresne modified the Severity from High (8.2) to High (7.1) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability 2 months ago
pullakarthiksrivastav has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.8.4 with commit 06f89b 2 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 2 months ago
2 months ago


Hi patrik Thanks for the CVE.

I didn't understand the previous comment you mentioned could you please reframe it

2 months ago


BTW My name email:

to join this conversation