Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V2 - Authentication

No Rate Limiting or Captcha on Login Page

POC

  1. Go to login page and send the unsuccessful login attempt request to Burp Intruder
  2. Change the password values for brute force as random values
  3. Observe that the response to the 20 or 30th request doesn't change and the account is not locked.

Impact

Low (It could lead to account takeover of users if the attacker finds a valid login through bruteforce attack. The Impact can be increased then)

Likelihood

Low