Lack of Resources and Rate Limiting

Check List

Methodology

Black Box

Rate Limiting Password Reset Functionalities

Log into the target site and intercept requests using Burp Suite

Go to the Forgot Password page and complete the request process

Then, using the Burp Suite tool, inspect the requests and identify whether the password reset process is performed using API endpoints

If the password forget process was performed using API endpoints, then send the API request to Intruder in the Burp Suite tool, then send 200 requests to the Endpoint API

If after sending all 200 requests, you get a status code of 200 in response to the server, and not a 429, the vulnerability is confirmed

White Box

Cheat Sheet

PreviousExcessive Data Exposure NextBroken Function Level Authorization

Last updated 2 days ago