No rate limit on the forgot password field.

Rate limiting is used to control the rate of requests sent or received and is used to prevent DoS attacks. Nowadays it is most to use the rate limit on the website due to various reasons.

I was testing a website let’s say “buggyweb.com”. I was on the forget password page of the website. At first, I enter my email address and request the reset link. After some time open Burpsuite and start to capture the request. And on the forget password field I saw something like this

So I send it to the intruder tap and enter my email 50+ times. And I started the attack and on my email, I received more than 50+ emails to reset passwords. This was due to there was no limit to send reset password links to the user.

This is can be used to spam the email box of the victim or sometimes even perform a DOS attack. So I reported it to the company.
After 2 days I received their reply saying this was a known issue. So they didn’t provide a bounty but I have read some HackerOne reports on this type of bug and some provided bounty for it.

Thank You.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store