.png)
1 week ago
12 BOOK THIS SPACE FOR AD
ARTICLE ADOn India’s famous e-commerce website
Firstly what is No Rate limit for Forgot Password?
No rate limit on forgot password means that there is no mechanism to prevent you from making a request in a short period of time. This can be used to send an unlimited number of forgot password requests to any random email that is registered on the website.
It was a sunny Sunday. I was testing on India’s famous e-commerce website. As is it a private program let’s call it xyz.com. I started digging subdomains with the tools Subfinder, Amass, and ffuf (ffuf — faster you fool 😂) and filtered active subdomains using the httpx tool.
I started looking into subdomains, one subdomain caught my eye let’s say that accounts.xyz.com, site has email and password slots to log in, there is a forgot password option right down!
Then I fired up Burp Suite and started capturing the requests.
I clicked on forgot password and entered an email, for example: testforhack@gmail.com, and clicked on submit!
Burp Suite popped up and I saw testforhack@gmail.com within the request then I sent it to the repeater
{"email": "testforhack@gmail.com"
}
In repeater, I tampered email to
{"email": "xyz@gmail.com"
}
Boom!!!! I got the JSON with a success message.
{"status": "SUCCESS"
"statusMessage": "Password change linkt send to "
}
then I sent the request to the intruder and sent the request 50 times and received all 200 ok messages with the SUCCESS messages in JSON
But I skipped reporting for some time. Started writing the report after a few hours when I started recording the POC the email was deleted from the database
{"status":"ERROR",
"statusMessage":"Invalid client Id"
}
My bad 😓
Bengali (Bangladesh) · 
English (United States) ·