Lack of Rate Limiting on Login



How to test:

  1. Go to the login page and send the unsuccessful login attempt request to Burp Intruder

  2. Change the password values for brute force to random values

  3. Observe that the response to the 20 or 30th request doesn't change and the account is not locked.

Last updated