-
Notifications
You must be signed in to change notification settings - Fork 170
/
Copy path229825.txt
54 lines (43 loc) · 1.74 KB
/
229825.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
ReportLink:https://hackerone.com/reports/229825
WeaknessName:Brute Force
Reporter:https://hackerone.com/imran_hadid
ReportedTo:Weblate(weblate)
BountyAmount:
Severity:low
State:Closed
DateOfDisclosure:02.07.2017 9:52:58
Summary:
Hi,
Rate limit issue exist in hosted.weblate.org. An attacker can able to send as many email as he want to the victim mail. The attacker can successfully bruteforce on any users mail account even when the rate limiting is enabled.
Step to reproduce :
1. sign up and login to a [hosted.weblate.org](https://hosted.weblate.org)
2. Go to [Password reset](https://hosted.weblate.org/accounts/reset/) option
3. Enter an email address.
4. Set up a proxy server (i used burp)
5. Configure your browser(firefox in my case) to work with the proxy server
6. Click on "Reset my password" button
7. Intercept the request
8. Send to Intruder
9. set position as your given email
10. set payload as many time you want to send mail
11. click on start attack
The victim will get mail as the number of payload you added. In my case i added upto 300 time and it hit into my mail box upto 300 time.
##Request
```
POST /accounts/reset/ HTTP/1.1
Host: hosted.weblate.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 135
Referer: https://hosted.weblate.org/
Cookie: csrftoken=csrftoken_here
Connection: keep-alive
Upgrade-Insecure-Requests: 1
csrfmiddlewaretoken=csrfmiddlewaretoken_here&[email protected]&content=&captcha=captcha_here
```
{F186001}
{F186002}
Thanks