Technical Report

Brute-Force Vulnerability — Missing Rate Limiting

High Severity Category: Authentication Context: Lab Testing

Overview

During authorized manual web application testing, a brute-force vulnerability was identified in the application's login mechanism. The authentication endpoint did not enforce any rate limiting, allowing an attacker to submit an unlimited number of login attempts without restriction.

Technical Description

The application's login endpoint accepted authentication requests without enforcing any mechanism to limit the number of attempts from a single source. There was no account lockout policy, no CAPTCHA challenge, and no progressive delay between failed attempts.

This means an attacker could automate credential guessing attacks against user accounts using common password lists or credential stuffing techniques. The absence of rate limiting significantly reduces the time and resources required for a successful brute-force attack.

Steps to Reproduce

                            1. Navigate to /login
                            2. Capture POST request in Burp Suite
                            3. Send to Intruder
                            4. Load wordlist: top-1000-passwords.txt
                            5. Status: 200 (Success) or 401 (Fail) remains constant
                        

Enter a valid username and an incorrect password.
Capture the login request using Burp Suite Proxy.
Send the captured request to Burp Suite Intruder.
Execute the attack and observe that all attempts are processed.

Remediation

The following measures are recommended to address this vulnerability:

Implement rate limiting on the login endpoint.
Introduce account lockout after 5 failed attempts.
Implement CAPTCHA verification for suspicious activity.
Consider Multi-Factor Authentication (MFA).

Back to Writeups