Stripo Inc: No rate limiting for confirmation email lead to huge Mass mailings

ID H1:1055503
Type hackerone
Reporter buggfuzz1
Modified 2020-12-11T12:57:35


this Report based on #997070 Issue Description No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions then their will be no rate limit set. vulnerable has registred in #297359 #774050 #922470

URL Effected

Step-by-step Reproduction Instructions Go to url Create an Account Click To Resand Email For Conformation and repreat to burp-suite Sent request to burp-intruder, and clear all payloads § In the payloads set a null-payloads and run intruder 500+ request sent to victim-email


POST /messenger/web/metrics HTTP/1.1 Host: Connection: close Content-Length: 1055 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: / Origin: Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9


Responsive Vulnerability

HTTP/1.1 200 OK Date: Thu, 10 Dec 2020 05:32:48 GMT Content-Type: text/html Connection: close Status: 200 OK Cache-Control: no-cache Access-Control-Allow-Origin: Vary: Accept-Encoding Strict-Transport-Security: max-age=31556952; includeSubDomains; preload X-Intercom-Version: ca081f6b25f3e43ebaa211111af5f7aded30d3d6 X-XSS-Protection: 1; mode=block X-Request-Id: 0000ve0ocgsaudprdqug Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, GET, OPTIONS X-Runtime: 0.015774 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Server: nginx x-ami-version: ami-04a8a471b0875e008 Content-Length: 0

POC {F1111238}


the attacker can send a request to the victim's email using a cloud server