Security flaw: Rate Limiting Bypass at developer portal signup page

[zhamadagithub]

Every bug report should have precise description and reproduction steps; console traces or source code references are appreciated.

For assistance requests, contact Azure support or submit a post on Stack Overflow. We don't provide support through GitHub Issues. Feature requests can be raised on the Azure Feedback Forum.

Bug description

Rate Limiting Bypass at developer portal signup page

Bypasses of rate limiting mechanisms such as CAPTCHA can allow an attacker to automate attacks at the specific endpoint and consume unnecessary resources on the server, potentially causing service disruption and denial-of-service. This also circumvents a multitude of other factors including security, data accuracy, spam, and protection against bots.

Reproduction steps

1-Brute Force-Omitting/removing specific fields sent to the server, the "challenge" (similar to a CAPTCHA) can be completely bypassed.

Expected behavior

Do not allow to bypass challenge (CAPTCHA)

Is your portal managed or self-hosted?

Managed

Release tag or commit SHA (if using self-hosted version)

API Management service name

Environment

• Operating system: Azure APIM

Additional context

• Implement a CAPTCHA which is good in design. We have seen how self-made designs can be vulnerable. So use a third-party CAPTCHA service provider like Google.
• Ensure validity of the response is conducted server-side

[ghost]

@zhamadagithub, thank you for opening this issue. We will triage it within the next few business days.

[malincrist]

Hello @zhamadagithub, thank you for bringing this issue to our attention. We have created an internal work item to investigate and address this.

[zhamadagithub]

Our security is asking for an ETA on when this vulnerability will be resolved. Thank you!

[mrcarlosdev]

This issue is related to managed developer portal. We advise you to create a Azure support request to get assistance on this issue. Please refer to the below link to create a new Azure support request, Please select Problem Type = "Developer Portal" in the request to route it appropriately.

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request