No Rate Limit on Critical Endpoints

XMLWordPrintable

    • Type: Task
    • Resolution: Unresolved
    • Priority: Medium
    • 3.8.0
    • Affects Version/s: None
    • FLW Sprint 37, FLW Sprint 38, FLW Sprint 39, FLW Sprint 40
    • FLW Mobile App
    • All

      Critical endpoints lack server-side rate-limiting controls.

      Impact:
      Enables brute-force, automation attacks, enumeration, and potential service outage.

       

      Vulnerability Name Vulnerable URL CVE/CWE CVSS Score Overall Risk
      (Severity)      		 Observation / Description Impact Recommendation Reference Steps to reproduce
      https://uatamrit.piramalswasthya.org/identity-api/rmnch/syncDataToAmrit No rate limit CWE-799 7.5 Medium No rate limit is a flaw that doesn't limit the no. of attempts one makes on a website server to extract data. It is a vulnerability which can prove to be critical when misused by attackers. An attacker can bruteforce for a particular username and can get a possibly an account takeover, As there is no rate limit set to login that may also lead to user enumeration. Limit the Number of http requests at same parameter at the server side. https://owasp.org/API-Security/editions/2019/en/0xa4-lack-of-resources-and-rate-limiting/ Step 1: During security assessment we captured the login page request into Burpsuite. After that we sent that request to intruder for bruteforce attack. Then it was concluded that it was possible to bruteforce valid credential as there was no rate limit mechanism implemented for login page.

              Assignee:
              Sachin Kadam
              Reporter:
              Shashank Kharkwal
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: