No rate Limit on Licenses Activation

## Introduction A little bit about Rate Limit A rate-limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given time-frame, HTTP-Servers can respond with status code 429: Too Many Requests. ## Description I have identified that when License activation on account.mackeeper.com , the request has no rate limit which then can be used to loop through one request. Which can be caused to brute force the license key for mackeeper. The first request generated for the activation code does not validate G-Captcha verification. Due to this attacker brute-force the activation code. ##Request ``` POST /my-licenses/enter-activation-code HTTP/1.1 Host: account.mackeeper.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://account.mackeeper.com/mylicenses Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 59 Connection: close Cookie: mk_app_yes=mk_app_yes; ActivateMacKeeperPopUpShown5efb180de6b37b3326166ef5=1; showCookiePolicy=true; _ga=GA1.3.1268580131.1593521017; _gid=GA1.3.2072436200.1593521017; _hjid=76d1e19a-d544-4123-8d02-65f30c9901df; _hjIncludedInSample=1; _hjAbsoluteSessionInProgress=1; sid=fstrk1gg07rva675puuftotju7; aguid=d82aa8c6a8c239b88f6bdca39af1b7ad5efb37b7e99293.37291003; jwtToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ijk1YTYyYzc4N2ViYjcwYTY5OTFhNzdhMTI1ODJkZjlhIn0.eyJ1c2VyX2lkIjoiNWVmYjE4MGRlNmIzN2IzMzI2MTY2ZWY1IiwiaXNzIjoibWthcGkiLCJleHAiOjE1OTQxNTIwNjEsImhhc2giOiI2NmM4NmRjOTAxYTM2MSJ9.IDg6BJBiNowewfO4vg0P8O4yFC2SuX57RkEqod1Cr-wScfB2YqO8COt5EUwyVLT_RXECk8fPtubnrp_VxTsK6iMsrLa2FNz73uqyir9RvzYrfgs-JUH0ZzpaK63Cnd9xCGBJcUfN40d6txmlM426ey5qgX9vLICzX1WMtYEdvQ3xskfPcweJMZihceB1dq1oro2OJUahV28Y3gfOn6UzuNsfitlGbQss6pKPbDKBv5VgUoW4madD0rXo6iXuhrXs130f6pbdZ6ZRkmlyBuGm3mK3Rve6pji7sQXHMk1myo7GiDZG0tj_L_Fty68NPnvKRa9OGSfe0vnbioCCkAe6eg; loginInfo=akash-labade csrf=38a8b676d202e1c513637e6d8ce224fe&code=ABCDEFGH12345678 ``` ##Steps To Reproduce: 1. Go to `https://account.mackeeper.com/mylicenses` 2. Click On Enter Activation code button. 3. Intercept request using burp and send to the intruder. 4. Add payload list and click on start attack. 5. See You Will Get 200 ok Status Code with error "The key "ABCDEFGH12345678" does not exist". ##Solution * I Will Recommend You To Add A ReCaptcha for the first request too. The first Request For Activation Doesn't Validate the ReCaptcha. * Sort Of Something Which Requires Manual Human Interaction To Proceed Like You Can Add Captcha Like 2+2=___ so that it cannot be brute-forced. * Set a limit at the back-end for a particular number up-to 5 times a day user can request activation or something like that will prevent from exploiting this vulnerability ##Impact * If there are no rate limits on activation key verification, Users can create any number of keys by the brute-forcing attack. * This type of attack can result in financial loss and can lead to business risk.