No Rate Limitation on password reset link #48
Description
Hi team ,
I want to report a security vulnerability
Vulnerable Link : https://beancount.io/forgot-password
Vulnerability Name : No Rate Limitation on password reset link
Steps To Reproduce The Issue
Step 1-Go To This Link https://beancount.io/forgot-password
Step 2- Intercept invite Request In Burp
Step 3- Now Send This Request To Intruder and Repeat upto 1000 Time By Fixing Any Arbitrary Payload Which Doesn't No Effect Request I Choose Accept-Language: en-US,en;q=$0.5$
Step 4 - See You Will Get 200 Ok Status Code , you will get emails
See It is Resulting In Mass Mailing Or Email Bombing To Your Users Which Is Bad For Business Impact
Solution -
I Will Recommend You To Add A Re-Captcha & Sort Of Something Which Requires Manual Human Interaction To Proceed Like You Can Add Captcha Like 2+2=_ so that it cannot be brute forced and you also can have a limit at the backend for particular number up
to 5 times a day user can request invite user or Link something like that will prevent you from someone exploiting this vulnerability
Impact :
If You Are Using Any Email Service Software API Or Some Tool Which Costs You For Your Email This Type Of Attack Can Result You In Financial Lose And It Can Also Slow Down Your Services It Can Take Bulk Of Storage In Sent Mail Although If Users Are Affected By This Vulnerability They Can Stop Using Your Services Which Can Lead To Business Risk
Thanks & Regards
Amit kumar