Introduction:-
A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code 429: Too Many Requests
Steps To Reproduce The Issue
Step 1- Go To This Link www.example.com
Enter Email Click On Forget Password
Step 2- Intercept This Request In Burp And Forward Till You Found YOur Number In Request Like (“email”:your email here”)
POST /api/v1/users/password/remind HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/lost-password
Content-Type: application/json
X-CSRF-TOKEN: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Origin: https://example.com
Content-Length: 33
Connection: close
Cookie: __cfduid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
(“email”;”your email here”)
Step 3- Now Send This Request To Intruder And Repeat It 100 Time By Fixing Any Arbitrary Payload Which Doesn’t No Effect Request I Choose Accept-Language: en-US,en;q=0.$5$
Step 4 — See You Will Get 200 ok Status Code & 100 + Email In Your INBOX
See It Is Resulting In Mass Mailing Or Email Bombing To Your Users Which Is Bad For Business Impact
Thank you for reading Follow for more
