For login, generally, a username/email and password are required.
It is easy to know the username or email of a victim's account.
Then the Attacker can use common passwords and try to get logged in.
If there is no rate limit on Login Request, then the Attacker's job is simple. He can write a simple script and take passwords from the collection of many passwords (like rockyou.txt which contains 14,341,564 unique passwords) one by one.
With a single system, Attacker can send more 1000 Request/sec
So, to check complete rockyou.txt, it will take about 4Hr.
If the victim's password is not in rockyou.txt, Attacker can Bruteforce the password, and it will take time depending on several combinations possible.
Give Real example here
- Account takeover is possible.
- Implement rate-limiting in your application based on source IP as well as active session.
- Block that IP / Session if you are getting multiple requests even after sending
429 Too Many Requestsresponse.