🕵️ U.S. Dept Of Defense: No Rate Limiting on https://██████/██████████/accounts/password/reset/ endpoint leads to Denial of Service

Summary: No-Rate Limit on Password reset endpoint results mail-spam functionality to be abused. Additionally, the password-reset link remain the same after each request. Description: Malicious user could Spear-target nga.mil user mail and Spam it for as many requests as he would like. Possible scenarios: Attacker could use this vulnerability to bomb out the email inbox of the victim. Attacker could send Spear-Phishing to the selected mail address. Attacker might cause denial of service to the mail servers. Step-by-step Reproduction Instructions Go to https://█████/█████/accounts/password/reset/ Click on "Send Email" and Capture the request on burp. Send to intruder, and start Sniping attack with NULL payloads. Suggested Mitigation/Remediation Actions Limiting the password reset request to once every X minutes. Use CAPTCHA verification after X requests. Asserting random password-reset link for each request. Similar reports: https://hackerone.com/reports/764122 https://hackerone.com/reports/791498 https://hackerone.com/reports/441161 Best Regards, Gal Nagli Impact Attacker could use this vulnerability to bomb out the email inbox of the victim. Attacker could send Spear-Phishing to the selected mail address. Attacker might cause denial of service to the mail... ...