Peter Chen created FINERACT-2125:
------------------------------------
Summary: No Rate Limiting on Login Panel
Key: FINERACT-2125
URL: https://issues.apache.org/jira/browse/FINERACT-2125
Project: Apache Fineract
Issue Type: Bug
Components: Client, Security
Reporter: Peter Chen
h3. Description
The application does not provide any kind of rate limiting mechanism to protect
against the requests made in a short frame of time. This type of issue might
lead to Account takeover by identifying correct usernames and passwords by
brute forcing the login page.
h3. Reproduction Steps
1- Visit the login page at [https://demo.mifos.io |https://demo.mifos.io/]or
[https://openmf.github.io/web-app/]
2- Enter any registered username and an incorrect password, Click on Login and
make sure to intercept the request via BurpSuite Tool.
3- Send the request to Intruder and set the payload position to password field.
4- Paste 400 incorrect passwords and 401st position as the correct password.
5- Start the attack and see that it successfully did 400 requests. On the 401st
request it logged-in successfully with correct password.
Note: Please note that the similar issue can be replicated where the vulnerable
field is username
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
