Hi Hostsailor Security Team,
I'm Yash Bug Bounty Hunter from India.
Login Function is blocking through the IP.
I would like to report rate limit issue based on IP blocking mechanism. Rate-limitation nowadays is not effective anymore to protect against brute-force. There are many botnets out there which can be used to overcome this hurdle, as well as cloud (VPS) services (e.g. Amazon AWS EIPs, Digital Ocean, ...), VPNs, proxies.
We can use IP Rotation extension in Burpsuite to exploit IP Based Rate limiting.
In this case I validated by changing my IP but in extension it automatically changes the IP after 5 attempts and Rate limit is bypassed.
Many VPS providers today offer a whole /64 subnet range of IPv6 addresses (18.446.744.073.709.551.616 unique addresses), such as but not limited to:
RamNode: $15/year (https://www.ramnode.com/vps.php)
Hetzner: $3.9/month (https://www.hetzner.de/us/hosting/produktmatrix_vserver/vserver-produktmatrix)
Vultr: $5/month (https://www.vultr.com/pricing/) and AWS too.
One example of a similar vulnerability that was exploited by Black Hats in the past would be Apple's Celebgate scandal of January 2015, where celebrity passwords were brute-forced through an unprotected Apple authentication endpoint which is on IP based rate limit blocking. But in the case of Courier user can easily rotate the IP's and can cause denial of services to its victim, or can cause notification bombarding after every 5 request.
1) Rate limit bypassed.
2) IP based Rate limit Bypass can cause Dos on courier users.
I'm recommending you to implement Captcha Verification to avoid such rate limit issue, or You can add rate limit on the basis of user's email address not IP address.
So make brute force attack on login page and change IP after you get rate limited. I Don't have AWS subscription that why I'm demonstrating this with my free ( RiseupVPN ). Hope you will understand.