Stripo Inc: No rate limiting for subscribe email + lead to Cross origin misconfiguration

Summary:

I found bypass no rate limiting using Access-Control-Allow-Origin: and look the response as 200 vulnerable
No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn’t give any error after 50, 100, 1000 repetitions then their will be no rate limit set. vulnerable has registred in #297359 #774050 #922470

URL Effected
https://stripo.email/subscribe/

Step-by-step Reproduction Instructions:

• Go to url https://stripo.email/ and scrolls look the subscribe button
• Add the victim emails, and repreat to burp-suite
• Sent request to burp-intruder, and clear all payloads §
• In the payloads set a null-payloads and run intruder
• Boom 1Million request sent to victim-email

Request

POST /subscribe/ HTTP/1.1
Host: stripo.email
X-Requested-With: XMLHttpRequest
Content-Length: 126
Origin: https://evil.stripo.email
Connection: close
Referer: https://evil.stripo.email/

_token=§§&source=LANDING&subscribe-email=hostbugbounty%40gmail.com&g-recaptcha-response=

Responsive Vulnerability

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 Nov 2020 04:33:08 GMT
Content-Type: application/json
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
X-RateLimit-Limit: 20
X-RateLimit-Remaining: 14
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: https://evil.stripo.email
Content-Length: 234

{"success":{"_token":"Zc3Jo8QdivuDDsaS8LhimIW8mVo88eRVl9FYrBi8","source":"LANDING","subscribe-email":"[email protected]","g-recaptcha-response":null},"message":"Thanks! You're subscribed, look for a confirmation email shortly."}

Supporting Material/References:

• F1070656
• F1070657

Impact

[CORS Bypassing Noratelimiting vulnerable] the attacker can send a request to the victim’s email using a cloud server