V2 - Authentication
No Rate Limiting or Captcha on Login Page
- Go to login page and send the unsuccessful login attempt request to Burp Intruder
- Change the password values for brute force as random values
- Observe that the response to the 20 or 30th request doesn't change and the account is not locked.
Low (It could lead to account takeover of users if the attacker finds a valid login through bruteforce attack. The Impact can be increased then)