← Back to Projects

Brute-Force Vulnerability — Missing Rate Limiting

High Severity Category: Authentication Context: Authorized Internship Testing

Overview

During authorized manual web application testing as part of the UptoSkills cybersecurity internship, a brute-force vulnerability was identified in the application's login mechanism. The authentication endpoint did not enforce any rate limiting, allowing an attacker to submit an unlimited number of login attempts without restriction.

Environment Tested

Testing was conducted on an authorized test environment provided as part of a structured cybersecurity internship program. All testing was performed within the defined scope and with explicit authorization.

  • Testing Type: Manual Web Application Security Testing
  • Authorization: Internship program scope (authorized)
  • Tool Used: Burp Suite (Intruder module)

Technical Description

The application's login endpoint accepted authentication requests without enforcing any mechanism to limit the number of attempts from a single source. There was no account lockout policy, no CAPTCHA challenge, and no progressive delay between failed attempts.

This means an attacker could automate credential guessing attacks against user accounts using common password lists or credential stuffing techniques. The absence of rate limiting significantly reduces the time and resources required for a successful brute-force attack.

Steps to Reproduce

  1. Navigate to the application's login page
  2. Enter a valid username and an incorrect password
  3. Capture the login request using Burp Suite Proxy
  4. Send the captured request to Burp Suite Intruder
  5. Configure a payload list with common passwords
  6. Execute the attack and observe that all attempts are processed without any blocking or throttling
  7. Confirm that no account lockout, CAPTCHA, or rate limiting is triggered regardless of the number of failed attempts

Impact

The absence of rate limiting on the authentication endpoint exposes the application to the following risks:

  • Unauthorized account access through automated password guessing
  • Credential stuffing attacks using leaked credential databases
  • Potential for account takeover, especially for users with weak passwords
  • Denial of service through high-volume authentication requests

Remediation

The following measures are recommended to address this vulnerability:

  • Implement rate limiting on the login endpoint (e.g., maximum 5 attempts per minute per IP/account)
  • Introduce account lockout or progressive delay after consecutive failed login attempts
  • Implement CAPTCHA verification after a threshold of failed attempts
  • Log and monitor failed authentication attempts for anomaly detection
  • Consider implementing multi-factor authentication (MFA) as an additional layer of defense