# Description
The login page doesn’t have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction.

# Proof of Concept
1. 1- Send a login request of the target user

“`
POST http://localhost:5000/api/account/login HTTP/1.1
Host: localhost:5000
Proxy-Connection: keep-alive
Content-Length: 35
Content-Type: application/json

{“username”:”user1″,”password”:”100000″}
“`
2. 2 – Capture and replay the login request with a different password everytime.Read More