The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
Tested the login function with 100+ wrong passwords and found that there is no restriction implemented to control excessive authentication attempts. POST request with wrong credentials results in 200 and with correct credentials in a 302 response from the server.
The above screenshot shows the test using BurpSuite Intruder tool
The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
Tested the login function with 100+ wrong passwords and found that there is no restriction implemented to control excessive authentication attempts. POST request with wrong credentials results in 200 and with correct credentials in a 302 response from the server.
The above screenshot shows the test using BurpSuite Intruder tool