Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSimon90H1:6574
HistoryApr 08, 2014 - 6:46 p.m.

ReddAPI: Login page password-guessing attack

2014-04-0818:46:04
simon90
hackerone.com
199
JSON

Hello team of Reddapi!

Here to report a vulnerability on your site.

Affected site: www.reddapi.com

Vulnerability: Login page password-guessing attack

Severity:Low.

Vulnerability description:

A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works

Attack Details:

http://www.reddapi.com/ (/login) page doesn’t have any protection against password-guessing attacks (brute force attacks). It’s recommended to implement some type of account lockout after a defined number of incorrect password attempts.

I personally tried many times with wrong password even though no account lockout was detected.

Fix: Implement Captcha

Well, I wait more information about this report!

Thanks and best regards,

Simone

JSON