Lack of Rate Limiting on Login

Severity:

Low

How to test:

1. Go to the login page and send the unsuccessful login attempt request to Burp Intruder

2. Change the password values for brute force to random values

3. Observe that the response to the 20 or 30th request doesn't change and the account is not locked.