No rate limit on forget password Link

ASRG / asrg.io

asrg.io - website and docs

MIT License

8 stars 4 forks source link

No rate limit on forget password Link #437

Closed usman-asrg closed 2 years ago

usman-asrg commented 2 years ago

affected url : https://www.asrg.io

step to reproduce

step 1 : while forgot password intercept the request step2: sent it to intruder in burp suite choose null payload 400 and start

and it also causing app level dos

POC it trigger 400 mail to victim

usman-asrg commented 2 years ago

unnamed

usman-asrg commented 2 years ago

@heldyboy I tried this out... after clicking on the forget password link I only received one email. So, I am not sure about the above issue... tried to find in google as well by trying different keywords mentioned in the description but no luck...

heldyboy commented 2 years ago

Please look into a rate limiter function for login, registrations and forgot passwords.

usman-asrg commented 2 years ago

Added the rate limit to 3 / Minutes... Let me know if you want me to increase the rate limit