Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAdarsh_pH1:790854
HistoryFeb 07, 2020 - 7:51 p.m.

X (Formerly Twitter): NO username used in authenthication to www.mopub.com leading to direct password submission which has unlimited submission rate.

2020-02-0719:51:26
adarsh_p
hackerone.com
83
JSON

**Summary:**user name is not used in authentication leading to direct password submission

Description: user name not used in authentication in https://www.mopub.com/login/?next=/dsp-portfolio/ (this page is labelled as SITE ADMIN: refer POC) can lead to direct submitting of password and this password has unlimited submission rate

Steps To Reproduce:

(Add details for how we can reproduce the issue)

  1. go to https://www.mopub.com/login/?next=/dsp-portfolio/
  2. we get a text box input only for password submission.
  3. this password submission has unlimited rate for submitting leading to bruteforce attacks.

POC screenshots attached.

Impact:This page is labelled as site admin (look in poc)and thus direct entry of password only which has no rate for submission can lead to attacker getting logged in.

Supporting Material/References:

  • screenshots of POC attached.)

Impact

attaker can login to page which is listed as SITE ADMIN in mopub.com

JSON