Improper Restriction of Excessive Authentication Attempts in login feature in francoisjacquet/rosariosis
May 23rd 2022
No rate-limiting leads to bruteforce attack in login feature
Steps to reproduce
2.Login with any username and password
3.Using Burp and send login POST request to Intruder
4.Create 30 null payloads and start attack
5.Login with correct account and password, got successful login without ban or restrictafter 30 failed attempts.
This allows attacker to perform a bruteforce attack, lead to account takeover.