Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrAkshayravic09yc47EBEE593D-3FD0-4985-BF5E-7E7927E08BF6
HistoryJul 12, 2022 - 4:18 a.m.

Account Takeover

2022-07-1204:18:11
akshayravic09yc47
www.huntr.dev
20
security vulnerability
web application
brute force
rate limiting
bug bounty

EPSS

0.002

Percentile

62.2%

JSON
  1. Hello team, while i was testing on https://book.dansmonorage.blue/login i noticed that there is no ratelimit protection on POST login form, so an attacker can takeover the account by brute forcing the password field

Steps to reproduce:

  1. go to https://book.dansmonorage.blue/login
  2. Enter username and any password
  3. Capture the request with burpsuite and start bruteforcing with our wordlist

POC Screenshot:

Patch recommendation:

  1. Add ratelimit protecion on POST login endpoints/parameters

Related

cve 1
osv 1
prion 1
cvelist 1
nvd 1
cve
cve
CVE-2022-35925
2022-08-02 21:15:08
osv
osv
CVE-2022-35925
2022-08-02 21:15:08
prion
prion
Authentication flaw
2022-08-02 21:15:00
cvelist
cvelist
CVE-2022-35925 Missing rate limit in Authentication in bookwyrm
2022-08-02 20:15:15
nvd
nvd
CVE-2022-35925
2022-08-02 21:15:08

EPSS

0.002

Percentile

62.2%

JSON
Related for EBEE593D-3FD0-4985-BF5E-7E7927E08BF6
cve1osv1prion1cvelist1nvd1