This blog is all about Cyber Security and IT

Tuesday, July 7, 2020

No Rate Limit Bug on Forgot password

Overview of this BUG:

A rate limiting is used to check if the user session has to be limited based on the information in the session cache. If user make too many requests within a given time , HTTP-Servers has to respond with status code 

429: Too Many Requests.


I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email.

Steps To Reproduce The Issue

Go to Forget Password page

Enter the mail where you want to receive the link

Capture that request in BURP.

Send this to Intruder and set  parameter at"Accept-Language: en-US,en;q=0.5

Now go to payload and select number from 1 to 100.

Click on start attack.

If you will receive 100 mails with this , than this is a bug which have to be reported.

Solution -

I Will Recommend to Add A ReCaptcha & Sort Of Something Which Requires Manual Human Interaction To Proceed Like You Can Add Captcha Like 2+2=___ so that it cannot be brute forced and you also can have a limit at the backend for particular number upto 5 times a day user can request Forget Password Email or Link something like that will prevent you from someone exploiting this vulnerability


If You Are Using Any Email Service Software API Or Some Tool Which Costs You For Your Email This Type Of Attack Can Result You In Financial Lose And It Can Also Slow Down Your Services It Can Take Bulk Of Storage In Sent Mail Although If Users Are Affected By This Vulnerability They Can Stop Using Your Services Which Can Lead To Business Risk

Sunday, July 5, 2020

Recon like a king for Bug Bounty

As we all know , If we want to hunt bugs , we have to get more and more information. With Recon we can:
  • Increase Target
  • Unpopular subdomains
1. Tool: SubBrute
usage: ./ > subdomain.txt

Now After having subdomains , I need to find further subdomains of subdomains

2. Tool: altdns
usage: -i subdomains.txt -o -w words.txt -s output.txt

Using above tool , you will get lot of subdomains

now we need to get all http status code for all subdomains

for that ;
go to

now you have to check for all the domains that are redirecting , as all those domains are really important