Uzbey: Email Flooding Vuln

2014-06-23T12:13:53
ID H1:17321
Type hackerone
Reporter iamthefrogy
Modified 2014-08-07T18:44:30

Description

Your contact us form has no captcha implementation. NOW THIS IS NOT DOS VULNERABILITY. it is called as logical flaw in your website.

By using your contact us form I can flood anyone's email id on the planet.

Because once contact us form has been filled your application gives back reply to the email id given to the server. Ideally it should not be happen else anyone in the world can give my email id with 1000 request and I will be flooded by your server 1000 times.

That is why either you should stop giving message to client that "WE HAVE RECEIVED YOUR REQUEST AND REQ NO IS 'XYZ' OUR REVIEW TEAM " or you should implement captcha system on your form..

There is a huge difference in DOS issue and this issue. IN dos issue I try to send so many req so its upto your server that to respond me or not. In this issue I use your server to flood someone...that is why it has higher impact. and I am reporting this.

Detailed Video is attached here IN LINK...Kindly see. Its nt DOS vuln..its called logical flaw .email flooding.

VIDEO TUTORIAL LINK - DONWLOAD AND SEE FOR HIGH QUALITY OR SEE ONLINE WITH LESS QUALITY. - https://www.dropbox.com/s/3f5vdn1q6xxza66/Email%20flooding%20UZbey.mp4?m=