Weakness
사용자 로그인 페이지는 속도 제한의 어떤 형태도 구현하지 않습니다
Description
summary
As a best practice a login page should have a rate limitting
Reproduction process
- try to login
- intersept the requist with burpsuite
- sent the requist to intruder and chose the password filed
- pest a list of passwods and start attack
- if the password is true we will get 274 as length
Possible cause of vulnerability
you didnt make any rate limte for trying to login
How to patch
make some rate limite or use capcha
Expected results and impact
attacker can get account take over
Other notes and references
https://hackerone.com/reports/410451
발견된 취약점의 영향도가 미비하여 공격자에게 악용될 소지가 현격히 낮은 취약점으로 판단하여 Close하겠습니다.