I found victim mailbox flooding due to no rate limit on forgot password area
The issue is that there is a speed bump missing in the forgot password area
of e-mail for a user. This would eventually let the attacker spam to
any random e-mail resulting in exhaustion of resources on your side .
I generated more then 100 forgot password requests and I received numbers of password reset requests within no time and i was able to flood the email because there is no rate limitation on forgot password area.
Impact:
This poses a significant threat to the integrity and reputation of your
organization.
Attacker can flood anyone email by sending the forgot password emails.
Steps to reproduce:
Send the request to the Burp repeater.
Now click go 100 times or as much as you like to.
You can see the e-mails being spammed to your inbox.
image.png
Fix:
There should be capture code for the protection of rate limitation on
forgot password area.
Hi team,
This time I found this vulnerability in website: https://fintel.io
Description:
I found victim mailbox flooding due to no rate limit on forgot password area The issue is that there is a speed bump missing in the forgot password area of e-mail for a user. This would eventually let the attacker spam to any random e-mail resulting in exhaustion of resources on your side .
I generated more then 100 forgot password requests and I received numbers of password reset requests within no time and i was able to flood the email because there is no rate limitation on forgot password area.
Impact:
This poses a significant threat to the integrity and reputation of your organization.
Attacker can flood anyone email by sending the forgot password emails.
Steps to reproduce:
Send the request to the Burp repeater. Now click go 100 times or as much as you like to. You can see the e-mails being spammed to your inbox.
image.png
Fix:
There should be capture code for the protection of rate limitation on forgot password area.
Look forward to hear from you.
Sincerely:
Hassan Ahmed (ethicalar@gmail.com)