A recent penetration test on my app raised the following issue: The web application had no rate limiting implemented on the ‘password reset’ functionality leading to an email flooding attack.
The pen tester sent a large volume of “Forgotten Password” requests to dev-nnnnnnn.okta.com/api/v1/authn/recovery/password, which resulted in a large number of emails sent to the user’s (the “victim”) email address, e.g., the attacker could perform an email flooding attack against the victim’s email address.
Is there any way to prevent this within the Okta Security, Authentication, and Password configuration?
Thank you