Stellar.org: brute force attack allowed on admin page https://www.stellar.org/wp-admin/

2018-04-25T03:08:06
ID H1:342977
Type hackerone
Reporter abo-jehad
Modified 2020-02-23T16:21:28

Description

hi security team -due to your bug bounty program , i found basic authentication method -by doing many trials the server will response and will not block the logging process - the attack can be automated by burp intruder till getting access to admin page - in second screen the request is intercepted by burp proxy F290121:

-in third anf forth screen i used burp intruder to automate bruit force attack (i tried only 9 times to make POC) F290122: F290123:

Impact

if the attack coleted , admin page is accessed