Bug: No rate limiting on Email verification leads to huge Mass Mailing :: P4

7 months ago 44
BOOK THIS SPACE FOR AD
ARTICLE AD

Professor 0xx01

No Rate Limiting

Hello Fellows.

I am here to tell you how i find Rate Limiting Vulnerability on a public Bug Bounty Program.

So, What is Rate Limiting..???

Rate limiting vulnerability is a type of security weakness that occurs when an application or system fails to properly enforce limits on the number of requests or actions that a user can perform within a given period of time.

Rate Limit

For example, let’s say an online service allows users to make a limited number of login attempts within a certain time frame to prevent brute-force attacks. If the system fails to properly enforce this limit, an attacker could repeatedly attempt to log in with various combinations of usernames and passwords until they gain unauthorized access to an account.

Steps To Reproduce…….

No Rate Limit on User Email Verification Code:

During Bug Hunting on admin.<target.com> domain, it shows a login page to login & there i can also create new user account to access the web application.

So I started to create a new user account and start playing with BurpSuite to see requests & responses.

Creating Account

After giving credentials, it’s sending a email verification code to the corresponding email i just entered.

Now, I give incorrect verification code & saw that it again sends me an another verification code.

Seeing this i just captured the req & send it to intruder. Here i didn’t select any payload position & start the attack with null payloads.

Anddddd…. B0000MMM….!!!!!!

Null Payloads

I had received a huge number of verification code in my email within a few amount of time.

2. No Rate Limit on Forgot Password Verification Code:

As i described, this same issue i have identified on the forgot password verification Code.

Forgot Password

Here i also received a huge number of reset password verification code in my email using the same Intruder attack with null payloads.

Then I just created a report & submit it to the Team. They accepted this issue as a valid one & marked as P4.

No to Money

Alright folks….!!! Hope you enjoyed this …

If you appreciate it, remember to like and follow me for more articles…!!!!

Happy Hunting ~~ Keep Learning & Growing.

See You in the next article….!!!!! Love you all …. ❤️💕

Read Entire Article