No Rate Limiting on Reset Features #2203
Description
I found a vulnerability on your website.
Vulnerability Domain:
Vulnerability Name:
Summary:
A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache.
Possible scenarios:
Attacker could use this vulnerability to bomb out the email inbox of the victim.
Attacker could send Spear-Phishing to the selected mail address.
Attacker might cause denial of service to the mail servers.
Business Impact
If You Are Using Any Email Service Software API Or Some Tool Which Costs You For Your Email This Type Of Attack Can Result You In Financial Lose And It Can Also Slow Down Your Services It Can Take Bulk Of Storage In Sent Mail Although If Users Are Affected By This Vulnerability They Can Stop Using Your Services Which Can Lead To Business Risk
Steps To Reproduce:
Step 1 - Go To This Link https://python.org/accounts/login/
Enter Email Click On Password reset
Step 2- Intercept This Request In Burp And Forward Till You Found Your Number In Request Like {"email":"your email here"}
Step 3 - Send to intruder, and start Sniping attack with NULL payloads.
