Lack of Rate Limiting on Login

Severity:

Low

How to test:

Go to the login page and send the unsuccessful login attempt request to Burp Intruder
Change the password values for brute force to random values
Observe that the response to the 20 or 30th request doesn't change and the account is not locked.

PreviousLack of Throttling on Form Submissions NextWeak Password Complexity Rules

Last updated 1 year ago