Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Lack of Rate Limiting on Account Creation Endpoint

Low
X
XVIDEOS
Submitted None

Team Summary

Official summary from XVIDEOS

## Summary A vulnerability has been identified in the account creation process of █████. The `/account/signinform/premium_tour_login` endpoint is found to lack proper rate limiting mechanisms. This security flaw allows for the automated creation of multiple user accounts without any restrictions. The vulnerability can be exploited using tools such as Burp Suite's Intruder to generate a large number of fake accounts rapidly. This issue poses significant risks to the platform's integrity and operational stability. ## Steps to Reproduce 1. Navigate to the account creation page on ████. 2. Fill in the required details (email, username, and password). 3. Intercept the HTTP POST request using Burp Suite. 4. Send the captured request to Burp Suite's Intruder. 5. Configure the ███ position in the email field. Replace `██████` with `████`. 6. Set the ████████ type to numbers and range it from 0 to 1000. 7. Start the attack. 8. Observe that the server processes all requests successfully, creating accounts without rate limiting or CAPTCHA validation. Additional Evidence: Intercepted request example: ``` POST /account/signinform/premium_tour_login HTTP/1.1 Host: ██████ Content-Type: application/x-www-form-urlencoded Content-Length: 120 email=███&password=█████&username=███████ ``` ## Impact The vulnerability's impact includes: 1. Account Flooding: The system can be overwhelmed with automated creation of fake accounts. 2. Abuse & Spamming: Fake accounts can be utilized for malicious activities on the platform. 3. Degraded Performance: Legitimate users may experience slower system performance. 4. Data Exposure: There is a potential risk of sensitive user data being leaked. 5. Reduced Integrity: The platform's user data integrity is compromised, increasing overall security risks. 6. Availability Issues: Server overload may impact system availability. Additionally, the typical impacts of vulnerabilities related to insufficient rate limiting (CWE-307) include: - Resource consumption leading to Denial of Service - Increased load on authentication mechanisms - Potential for brute force attacks on user credentials - Skewed analytics and user statistics - Increased operational costs due to unnecessary resource allocation

Actions:
View on HackerOne
Reported by nagu123

Vulnerability Details

Technical details and impact analysis

--- **Title:** Lack of Rate Limiting on Account Creation Endpoint **Description:** The **`/account/signinform/premium_tour_login`** endpoint on **██████████** lacks rate limiting, allowing attackers to automate the account creation process. This vulnerability can be exploited to generate a large number of fake accounts by automating requests using tools like Burp Suite's Intruder. **Endpoint Affected:** `POST /account/signinform/premium_tour_login` Host: `█████` **Steps to Reproduce:** 1. Navigate to the account creation page on **███**. 2. Fill in the required details such as email, username, and password. 3. Intercept the HTTP POST request using Burp Suite. 4. Send the captured request to Burp Suite's Intruder. 5. Configure the ████████ position in the email field. For example, replace `████████` with `████`. 6. Set the ██████████ type to numbers and range it from `0` to `1000`. 7. Start the attack. 8. Observe that the server processes all requests successfully, creating accounts without rate limiting or CAPTCHA validation. █████████ **Impact:** This vulnerability can lead to: - Creation of numerous fake accounts, overwhelming legitimate user registrations. - Exploitation by malicious actors for bot-related activities, such as spamming or abusing the platform. - Increased server resource usage and potential degradation of service. **Suggested Fixes:** - Implement a rate-limiting mechanism for the affected endpoint. For example: - Limit requests to a maximum of 5 per minute per IP address. - Introduce CAPTCHA verification during the account creation process to prevent automated requests. - Enforce email verification to finalize the account registration process. **Proof of Concept (PoC):** 1. Intercepted request (example): ``` POST /account/signinform/premium_tour_login HTTP/1.1 Host: ████ Content-Type: application/x-www-form-urlencoded Content-Length: 120 email=██████████&password=████████&username=█████ ``` ████████ 2. Screenshot or logs from Burp Suite Intruder showing multiple successful account creation responses for email variations (e.g., `███`, `████`, etc.). █████ ## Impact ### ** Impact**: - **Account Flooding**: Automated creation of fake accounts overwhelms the system. - **Abuse & Spamming**: Fake accounts can be used for malicious activities. - **Degraded Performance**: Slower system performance for legitimate users. - **Data Exposure**: Sensitive user data may be leaked. - **Reduced Integrity**: Compromised user data and increased security risks. - **Availability Issues**: Server overload impacting system availability.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$200.00

Submitted