Somaharish

Introduction:

As a security researcher, i continuously submitted bugs on various platforms. All are beacame duplicate submissions. i revised my concepts and work on No rate limit Vulnerabilities. i tried on hackenproof platform this time and hit the server and bagged a bounty of $200 USD.

Steps to reproduce:

  1. Go the url and login
  2. go to user settings and edit name as attacker
  3. capture the request in burp.
  4. send that post request to intruder
  5. By selecting 100 null paylaods send this post request to server 100 times
  6. i successfully hit the server 100 times and changed the username 100 times
  7. there is some limit to change the username/password/email
  8. they confirmed the issue and given a bounty of $200

screenshots:

--

--