AI-Powered Cyberattacks: The New Era of Intelligent Cyber Warfare
Web vulnerabilities are security weaknesses in websites and web applications that attackers can exploit to steal data, gain unauthorized access, or disrupt services. Identifying and fixing these vulnerabilities through penetration testing and vulnerability assessments helps protect your business from cyber threats and ensures a secure online presence.
Vulnerability Title: No rate limit on login
OWASP: A07:2021-Identification and Authentication Failures
Description:
On the login form of the website/portal, we observe that no rate limit is applied. This means an attacker can perform a brute-force attack on the password, potentially gaining unauthorized access to the victim’s account.
Impact:
This vulnerability allows attackers to guess passwords and log in as legitimate users, compromising users’ confidentiality, integrity & availability (CIA).
Mitigation:
Implement rate limiting on login attempts to restrict the number of attempts from a single IP address. Implement request throttling (e.g., after 3 invalid attempts, hold the user for 1 minute). Introduce CAPTCHA to prevent automated login attempts.
Steps to Reproduce:
- Capture the login request using a proxy tool (e.g., Burp Suite).
- Send the captured request to the Intruder tool in Burp Suite.
- Select the password field and enter a password payload list.
- Attempt to log in repeatedly, verifying that unauthorized access can be achieved.
2. Vulnerability Title: Email Flooding (Reset Password/Resend Email/Resend OTP)
Severity: Medium
-
OWASP: A07:2021-Identification and Authentication Failures
Description:
The reset password functionality does not have a rate limit on sending emails, allowing an attacker to flood a user’s email account with multiple reset password/resend email/resend OTP emails.Impact:
This vulnerability led to email account flooding, causing the user’s email account to become unresponsive or even locked out due to excessive email traffic.Mitigation:
Implement rate limiting on sending emails to restrict the number of emails sent from a single IP address. Implement request throttling (e.g., after 3 attempts, hold the user for 1 minute). Introduce CAPTCHA to prevent automated email flooding attempts.Steps to Reproduce:
- Capture the resend email request using a proxy tool (e.g., Burp Suite).
- Send the captured request to the Intruder tool in Burp Suite.
- Set the null payloads and enter a number (e.g., 100).
- Start the attack and observe that multiple emails are sent and received.
3. Vulnerability Title: OTP Bypass by Rate Limit (Account Register/2FA/Reset Password)
Severity: High ~ Critical
OWASP: A07:2021-Identification and Authentication Failures
Description:
The one-time password (OTP) mechanism during account registration/2FA/reset password does not have a sufficient rate limit, allowing an attacker to bypass the OTP verification by repeatedly sending requests.
Impact:
This can allow an attacker to gain unauthorized access to a user’s account by bypassing the OTP verification step.
Mitigation:
Implement a strict rate limit on OTP requests to restrict the number of attempts from a single IP address. Implement request throttling (e.g., after 3 attempts, hold the user for 1 minute). Introduce CAPTCHA to prevent brute-force attacks on OTP functionality.
Steps to Reproduce:
- Capture the OTP request using a proxy tool (e.g., Burp Suite).
- Send the captured request to the Intruder tool in Burp Suite.
- Set the OTP value to a random or sequential value.
- Start the attack and observe that the valid OTP has different lengths, and we get the successful response.
4. Vulnerability Title: Clickjacking
Severity: Medium
-
OWASP: A05:2021-Security Misconfiguration
Description:
It is observed that the server didn’t return an X-Frame-Options header on the page requests, which means that the website could be at risk of a clickjacking attack.Impact:
The user assumes that they’re entering their information into a usual form, but they’re entering it in fields the hacker has overlaid on the UI.Mitigation:
Make use of the X-Frame-Options HTTP header to Same Origin.Steps to Reproduce:
- Save this code in the html extension:
<p>Clickjacking POC</p> <style> iframe { position:relative; width: 500px; height: 700px; opacity: 0.5; z-index: 2; } div { position: absolute; top: 470px; left: 60px; z-index: 1; } </style> <div></div> <iframe src=”https://example.com/“></iframe>
- Launch the file in the browser.
- Observe that the website is getting embedded in an iframe.
5. Vulnerability Title: Account Takeover via Reset Password functionality
Severity: Critical
OWASP: A01:2021-Broken Access Control
Description:
The application’s “forget password” functionality is vulnerable to account takeover. Attackers can exploit this vulnerability by providing their own phone number/email address (assuming an account exists for the attacker) and initiating the “forget password” process. Upon entering a valid OTP/using a password reset link sent to the attacker’s phone number/email address, the system allows the attacker to reset the password without any further authentication. The lack of proper authorization checks enables attackers to reset passwords for any user account by modifying the phone number/email address parameter in the request.
Impact:
Attackers can gain unauthorized access to user accounts by resetting passwords without proper authentication. Once access is gained, attackers can view, modify, or delete sensitive information stored within user accounts.
Mitigation:
Ensure that password reset processes are securely implemented and include proper authorization checks at each step.
Steps to Reproduce:
- Visit the “forgot password” functionality
- Enter the attacker’s phone number/email address and initiate the “forget password” process.
- It’ll send an OTP/link to a number/email; enter/open the OTP/link and move on to the next step.
- Now, intercept the password reset request and modify the phone number/email address to the victim’s phone number. Set a new password for the victim’s account, demonstrating successful account takeover.
6. Vulnerability Title: OTP Misconfiguration Leads to Account Takeover
Severity: Critical
OWASP: A05:2021-Security Misconfiguration
Description:
This vulnerability arises from misconfigured OTP systems, facilitating unauthorized access to user accounts by exploiting weaknesses in OTP handling. We observed that the OTP is reflected in the response when a password reset is initiated. His flaw allows attackers to easily obtain valid OTPs, enabling them to exploit this weakness and gain unauthorized access to user accounts.
Impact:
It will allow attackers to access user accounts without proper authentication, compromising users’ confidentiality, integrity & availability (CIA).
Mitigation:
Mitigate by securely handling OTP, not revealing it in responses.
Steps to Reproduce:
- For the forget password functionality, enter the victim’s phone number/email address and click on Send OTP by intercepting this request on Burp Suite.
- Now send this request to the repeater.
- After sending this request on the repeater, notice that the OTP is clearly visible in the response section.
- After proceeding by entering the given OTP, the attacker can now change the password of the victim’s account.
- Notice that the password is successfully updated. Now, intercept the password reset request and modify the phone number/email address to the victim’s phone number. Set a new password for the victim’s account, demonstrating successful account takeover.
7. Vulnerability Title: Excessive Data Exposure
Severity: Medium
OWASP: A05:2021-Security Misconfiguration
Description:
The application exhibits data exposure, providing sensitive information such as bank account title, IBAN No., card number, email address, customer level, phone number, last login, etc. in response to the login request before the OTP verification.
Impact:
This increases the risk of identity theft, where attackers impersonate users to gain access to other accounts or commit fraud.
Mitigation:
Data validation should occur on the server before any sensitive information is sent to the application. This ensures that only authorized users with valid login credentials and correct OTP can access their account details.
Steps to Reproduce:
- Launch the application, enter valid credentials, and capture the request in Burp Suite.
- Send a request to the repeater and send the request and analyze the excessive data exposure.
8. Vulnerability Title: Rate Limit Bypass
Severity: High
OWASP: A05:2021-Security Misconfiguration
Description:
During testing, it was observed that while a rate limit is implemented on the login page, it is not properly enforced, allowing for bypass. An attacker can exploit this weakness by using an IP rotator tool that changes the source IP address every second, enabling them to make numerous login attempts without being blocked.
Impact:
This vulnerability can lead to brute-force attacks, allowing attackers to guess user credentials and gain unauthorized access to accounts, compromising sensitive user information and potentially leading to account takeovers.
Mitigation:
Implement request throttling for user accounts. If the number of failed login attempts exceeds three, temporarily suspend the login process for one minute.
Steps to Reproduce:
- Access the login page of the application.
- Use an IP rotator tool to change the source IP address every second.
- Attempt to log in with incorrect credentials repeatedly.
- Observe that the rate limiting is bypassed, allowing multiple login attempts without restriction.
9. Vulnerability Title: HTMLi in (Register complaint/Register User/Functionality that Sends Email)
Severity: Medium ~ High
OWASP: A03:2021-Injection
Description:
The vulnerability identified is an HTML Injection (HTMLi) in the functionality (Register Complaint, Register User/Functionality that Sends Email) of the application. On capturing the request on the proxy tool, an attacker can inject malicious HTML code in the “complaintDetails, username, or any field that reflects in the email” field, causing it to be executed in the email sent to the user’s email address.
Impact:
Attackers can exploit this vulnerability to execute HTML code and can conduct phishing attacks.
Mitigation:
Restrict execution of HTML payloads. Encode the special characters like (< > “/), etc.
Steps to Reproduce:
- Login to the Application and Navigate to the (Register Complaint functionality, Register User, Register User/Functionality that Sends Email)
- Enter details and capture the request on a proxy tool like BURPSUITE.
- Enter the HTMLi payload in the “complaintDetails, username, and any field that reflects in the email” and send the request.
- Observe that user got the email address with HTML code execution.
10. Vulnerability Title: Unrestricted Pagination Size Leading to Server Resource Consumption
Severity: Medium ~ High
OWASP: A03:2021-Injection
Description:
We have identified a vulnerability, “Unrestricted Pagination Size Leading to Server Resource Consumption,” in the (notification request/the request contains a page size parameter) endpoint /api/v1/my/getNotifications?page=0&size=10. By increasing the size parameter (e.g., size=1000), the server takes significantly longer to respond, allowing for a Denial of Service (DoS) attack.
Impact:
An attacker can exploit this vulnerability to overload the server, causing slowdowns or complete service disruptions.
Mitigation:
Implement a maximum limit on the size parameter to prevent excessively large data requests.
Steps to Reproduce:
- After logging in to the application, capture the request (notification/the request contains the page size parameter) on the proxy tool.
- Send a request to the notification API: /api/v1/my/getNotifications?page=0&size=10.
- Observe the server’s response time.
- Increase the size parameter (e.g., size=1000).
- Observe the increased response time.
11. Vulnerability Title: No session expiration on Reset Password
Severity: Medium
OWASP: A05:2021-Security Misconfiguration
Description:
The Web application lacks session expiration upon resetting the password, allowing users to retain access to functionalities across multiple browsers without being logged out from previously authenticated sessions.
Impact:
If the attacker has a user password and logged in in different places, as other sessions are not destroyed, the attacker will still be logged in to the victim account even after changing the password because his session is still active. A malicious actor can gain complete access to a victim account.
Mitigation:
Implement session management mechanisms to invalidate existing sessions upon password reset or change.
Steps to Reproduce:
- Log in to the account on Browser 1.
- Reset the password for the account from another browser (Browser 2).
- Return to Browser 1, refresh the page, and verify if the user can still access functionalities without being logged out despite the password reset on the other browser.
12. Vulnerability Title: TLS 1.0 Enabled
Severity: Medium
Severity: Medium
OWASP: A02:2021-Cryptographic Failures
Description:
During testing we observed that the server accepts connections encrypted using TLS 1.0. TLS 1.0 has several cryptographic design flaws and is obsoleted. PCI DSS v3.2 requires that TLS 1.0 be disabled entirely and recommends TLS 1.2 or higher.
Impact:
can possibly perform these attacks.
TLS 1.0 is vulnerable to attacks like POODLE, BEAST, CRIME, HEARTBLEED, etc. An attacker
can possibly perform these attacks.
Mitigation:
Disable TLS 1.0 and enable TLS 1.3.
Steps to Reproduce:
- Open Kali Linux or install SSLSCAN on Windows.
- Run this command:
sslscan <affected host> - Observe the results that TLS 1.0 is enabled.








