Brute Force Vulnerability Exploited on OopsSec Store Due to Lack of Rate Limiting

The article describes the exploitation of a brute force vulnerability on the OopsSec Store login endpoint due to the absence of rate limiting controls. This flaw allows an attacker to perform an unlimited brute force attack on a known email address using a standard list of passwords to recover the account password and gain full control. The attack utilizes rockyou.txt, a list of over 14 million passwords. The attack script sends POST requests to the /api/auth/login endpoint with email/password pairs until a success response is received. The password sunshine is found quickly. The vulnerability is due to the lack of rate limiting, account lockout, and the use of the MD5 hashing algorithm. Remediation measures include implementing rate limiting, locking the account after several failed attempts, and adopting a computationally expensive hashing function like bcrypt.