Security flaw:Rate Limiting Bypass at reset-password-request page

[zhamadagithub]

Every bug report should have precise description and reproduction steps; console traces or source code references are appreciated.

For assistance requests, contact Azure support or submit a post on Stack Overflow. We don't provide support through GitHub Issues. Feature requests can be raised on the Azure Feedback Forum.

Bug description

A bypass of the rate limiting feature was found at the password reset page. Bypasses of rate limiting mechanisms such as CAPTCHA can allow an attacker to automate attacks at the specific endpoint and consume unnecessary resources on the server, potentially causing service disruption and denial-of-service. This also circumvents a multitude of other factors including security, data accuracy, spam, and protection against bots.

Reproduction steps

1. Omitting/removing specific fields sent to the server, the "challenge" (similar to a CAPTCHA) can be completely bypassed.

Expected behavior

A clear and concise description of what you expected to happen.

Is your portal managed or self-hosted?

Azure Managed

Environment

Out of the box Azure APIM

Additional context

Recommended fix:

• Implement a CAPTCHA which is good in design. We have seen how self-made designs can be vulnerable. So use a third-party CAPTCHA service provider like Google.
• Ensure validity of the response is conducted server-side

[ghost]

@zhamadagithub, thank you for opening this issue. We will triage it within the next few business days.

[malincrist]

Hello @zhamadagithub, thank you for bringing this issue to our attention. We have created an internal work item to investigate and address this.

[zhamadagithub]

Our security team is asking for an ETA on when this vulnerability will be resolved. Thank you!