Stripo Inc: No rate limiting for confirmation email lead to huge Mass mailings

2020-12-10T05:52:08
ID H1:1055503
Type hackerone
Reporter buggfuzz1
Modified 2020-12-11T12:57:35

Description

this Report based on #997070 Issue Description No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions then their will be no rate limit set. vulnerable has registred in #297359 #774050 #922470

URL Effected https://my.stripo.email

Step-by-step Reproduction Instructions Go to url https://my.stripo.email/ Create an Account Click To Resand Email For Conformation and repreat to burp-suite Sent request to burp-intruder, and clear all payloads § In the payloads set a null-payloads and run intruder 500+ request sent to victim-email

Request

POST /messenger/web/metrics HTTP/1.1 Host: api-iam.intercom.io Connection: close Content-Length: 1055 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: / Origin: https://my.stripo.email Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

app_id=b1m243ec&v=3&g=71fba9f9e880e5241a4b973c81eca24ce29a291a&s=e5afc0f8-f14c-46b1-ae95-d33036ed6acd&r=https%3A%2F%2Fmy.stripo.email%2Fcabinet%2F&platform=web&Idempotency-Key=b01b737a5a504101&user_data=%7B%22email%22%3A%22abhishekkapdi27%40gmail.com%22%2C%22user_id%22%3A340104%2C%22user_hash%22%3A%2237838c40bcdb9483f11b3f3ac2192ce596a5fce34686429e1a5657d1ca66bfe1%22%7D&internal=&page_title=Emails&user_active_company_id=undefined&metrics=%5B%7B%22id%22%3A%222b130ef1-2b49-47c8-8e84-4da7901d101d%22%2C%22name%22%3A%22m4_metric%22%2C%22created_at%22%3A1607578307%2C%22metadata%22%3A%7B%22user_id%22%3A%225fd1b2a0167668f0a517a05d%22%2C%22action%22%3A%22received%22%2C%22object%22%3A%22message%22%2C%22place%22%3A%22messenger%22%2C%22context%22%3A%22from_launcher_discovery_mode%22%2C%22version%22%3A%2271fba9f9e880e5241a4b973c81eca24ce29a291a%22%7D%7D%5D&logs=%5B%5D&op_metrics=%5B%7B%22name%22%3A%22nexusclient-js.ping_timeout%22%2C%22type%22%3A%22inc%22%7D%5D&hc_metrics=%5B%5D&referer=https%3A%2F%2Fmy.stripo.email%2Fcabinet%2F%23%2Ftemplates%2F344984

Responsive Vulnerability

HTTP/1.1 200 OK Date: Thu, 10 Dec 2020 05:32:48 GMT Content-Type: text/html Connection: close Status: 200 OK Cache-Control: no-cache Access-Control-Allow-Origin: https://my.stripo.email Vary: Accept-Encoding Strict-Transport-Security: max-age=31556952; includeSubDomains; preload X-Intercom-Version: ca081f6b25f3e43ebaa211111af5f7aded30d3d6 X-XSS-Protection: 1; mode=block X-Request-Id: 0000ve0ocgsaudprdqug Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, GET, OPTIONS X-Runtime: 0.015774 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Server: nginx x-ami-version: ami-04a8a471b0875e008 Content-Length: 0

POC {F1111238}

Impact

the attacker can send a request to the victim's email using a cloud server