Hi Auth0 Team,
I want to report a potential security issue with the /dbconnection/password_change endpoint in Auth0 database connections.
Issue:
It appears that using certain URL-encoded control characters, e.g., "%01", in the email parameter allows multiple password change requests without triggering the too_many_attempts error.
Is there already a way to configure Auth0 to protect against this behavior?
Hi @gedeon.u,
Welcome to the Auth0 Community!
You can use Auth0’s Brute-Force Protection. This feature includes rate limiting on the password change endpoint. While our systems are designed to normalize user identifiers before applying security policies, it’s crucial to ensure your tenant’s protection settings are correctly configured to shield against such attempts.
You can find this feature here:
Have a good one,
Vlad
Thanks for the response!
Even with Brute Force Protection enabled, if a user includes URL-encoded control characters in the email parameter, the rate limit gets bypassed, and the attempts are not counted. Is there a way to enforce protection in this scenario as well?
Hi @gedeon.u,
Sorry for the very delayed response.
One of our engineers was able to receive the too_many_attempts error, even with the email containing URL-encoded control characters. Could you provide us with an example of an email that didn’t work for you?
Have a good one,
Vlad
For more context, when the attempt limit is set to 10 and the user makes more than 10 consecutive requests, they receive a “Too Many Requests” error. However, if the user adds a URL-encoded control character, they can make another 10 requests without triggering the error.
Could you provide us with an example of an email address containing URL-encoded control characters that bypassed the error?
Have a good one,
Vlad
for example: test.user1@domain.com%01
