Hello Amazing Hackers,
Hope you guys Doing well and hunting lots of bugs and Dollars !
Well, let’s start
So for today, I am going to discuss about my first valid bug(Denial of service when entering a long password) which has given me $100. and This is recommended to you also that after reading this article try to find the same vulnerabilities or related vulnerabilities on your targets.
I was looking for bugs in my target “Next cloud “, which I have picked from HackerOne public programs. But this target is already seen by lots of hackers and almost lots of bug has been reported as I can see in Hacktivity. Generally, when you are trying to find vulnerabilities, lots of you ignore Hactivity. But you should watch it once so that you will have some idea what types of bugs have already had been found on this target and what you can try here.But this doesn’t mean that you will not follow your own methodology,but just have an idea with Hactivity, this will help you a lot while finding bugs.
I was just checking signup functionality with some known techniques, But suddenly when putting my password for signup I realized that the page has no limitation means that you can put a password without any limitations.
This is a bug because Normally passwords have 8–10–24 digits limitations ,I just tried to enter as many characters until it is not started responding slow. But before reporting this bug please check is this impactful or not !
Description of bug :-
By sending a very long password (1.000.000 characters) it’s possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
Have a look of the reports given upward
Hope this is useful for you guys
Happy Hacking !