brute force attack allowed on admin page

ID H1:342977
Type hackerone
Reporter abo-jehad
Modified 2020-02-23T16:21:28


hi security team -due to your bug bounty program , i found basic authentication method -by doing many trials the server will response and will not block the logging process - the attack can be automated by burp intruder till getting access to admin page - in second screen the request is intercepted by burp proxy F290121:

-in third anf forth screen i used burp intruder to automate bruit force attack (i tried only 9 times to make POC) F290122: F290123:


if the attack coleted , admin page is accessed