Hi Auth0 Team,
I want to report a potential security issue with the /dbconnection/password_change endpoint in Auth0 database connections.
Issue:
It appears that using certain URL-encoded control characters, e.g., "%01", in the email parameter allows multiple password change requests without triggering the too_many_attempts error.
Is there already a way to configure Auth0 to protect against this behavior?
Hi @gedeon.u,
Welcome to the Auth0 Community!
You can use Auth0’s Brute-Force Protection. This feature includes rate limiting on the password change endpoint. While our systems are designed to normalize user identifiers before applying security policies, it’s crucial to ensure your tenant’s protection settings are correctly configured to shield against such attempts.
You can find this feature here:
Have a good one,
Vlad
