Least Privilege Violation in kestasjk/webdiplomacyValid
Jul 23rd 2021
Bypass rate limit and sent unlimited email to any email address.
Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.
🕵️♂️ Proof of Concept
During password-reset link sending there is no rate-limit which allow to send unlimited email to any email address. bellow request is vulnerable tot this attack
POST /logon.php?forgotPassword=2 Host: webdiplomacy.net User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 22 Origin: https://webdiplosdfdmacy.net DNT: 1 Connection: close Referer: https://webdipdddlomacy.net/logon.php?forgotPassword=1 Upgrade-Insecure-Requests: 1 forgotUsername=bbounty
Now sent this request unlimited time and victim email address will received unlimited verification email . Also attacker can make this as python code and send unlimited email
You should set rate limit there to prevent this